#VU124869 OS Command Injection in trivy-action - CVE-2026-26189
Published: April 4, 2026
Vulnerability identifier: #VU124869
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26189
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
trivy-action
trivy-action
Software vendor:
Aqua Security
Aqua Security
Description
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in the composite action environment variable export and sourcing logic when processing attacker-controlled action inputs into trivy_envs.txt. A remote privileged user can supply input containing shell metacharacters to execute arbitrary commands.
The issue affects workflows that pass attacker-controlled data into action inputs that are written to trivy_envs.txt and then sourced by entrypoint.sh, resulting in command execution in the GitHub Actions runner context.
Remediation
Install security update from vendor's website.