CVE-2026-34041

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a	Patch
https://github.com/nektos/act/releases/tag/v0.2.86	Product
https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nektos:act:*:*:*:*:*:*:*:*

History

06 Apr 2026, 15:34

Type	Values Removed	Values Added
References	~~() https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a -~~	() https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a - Patch
References	~~() https://github.com/nektos/act/releases/tag/v0.2.86 -~~	() https://github.com/nektos/act/releases/tag/v0.2.86 - Product
References	~~() https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw -~~	() https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:a:nektos:act::::::::
First Time		Nektos act Nektos

02 Apr 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) act es un proyecto que permite la ejecución local de acciones de GitHub. Antes de la versión 0.2.86, act procesa incondicionalmente los comandos de flujo de trabajo obsoletos ::set-env:: y ::add-path::, lo cual fue deshabilitado debido a riesgos de inyección de entorno. Cuando un paso de flujo de trabajo hace eco de datos no confiables a stdout, un atacante puede inyectar estos comandos para establecer variables de entorno arbitrarias o modificar la variable PATH para todos los pasos subsiguientes en el trabajo. Este problema ha sido parcheado en la versión 0.2.86.

31 Mar 2026, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 03:15

Updated : 2026-04-06 15:34

NVD link : CVE-2026-34041

Mitre link : CVE-2026-34041

CVE.ORG link : CVE-2026-34041

JSON object : View

Products Affected

nektos

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

9.8 /10