CVE-2026-34041
CRITICALact: Unrestricted set-env and add-path command processing enables environment injection
Title source: cnaDescription
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw
X_Refsource_Misc x_refsource_misc
https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a
X_Refsource_Misc x_refsource_misc
https://github.com/nektos/act/releases/tag/v0.2.86
Scores
CVSS v3
9.8
EPSS
0.0003
EPSS Percentile
7.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (2)
nektos/act
< 0.2.86 (2 CPE variants)
nektos/act
0 - 0.2.86Go
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026