The vulnerability CVE-2026-26189 affects aquasecurity's trivy-action, a GitHub Action used to scan Docker container images for vulnerabilities. Versions 0.31.0 through 0.33.1 improperly handle user-supplied inputs when exporting environment variables by writing lines like `export VAR=<input>` to a file named `trivy_envs.txt` without proper shell escaping. This file is then sourced in the action's `entrypoint.sh` script. Because the inputs are not sanitized or escaped, shell metacharacters such as command substitution syntax (`$()`, backticks) can be injected and executed by the shell during sourcing. This leads to OS command injection, allowing arbitrary command execution within the GitHub Actions runner environment. Exploitation requires that an attacker have the ability to supply input to any action input that is written to `trivy_envs.txt`. The vulnerability does not require user interaction but does require privileges to modify workflow inputs. The flaw is fixed in version 0.34.0, which either properly escapes shell values or removes the vulnerable sourcing pattern. No known exploits are reported in the wild as of now. The CVSS 3.1 score is 5.9 (medium), reflecting network attack vector, high privileges required, no user interaction, and high impact on confidentiality and integrity but no impact on availability.

If exploited, this vulnerability allows an attacker to execute arbitrary commands within the GitHub Actions runner environment. This can lead to unauthorized access to sensitive data, modification of build artifacts, injection of malicious code into software supply chains, and potential lateral movement if the runner has network access to internal resources. Since GitHub Actions runners often have access to source code repositories, secrets, and deployment credentials, the confidentiality and integrity of the software development lifecycle can be severely compromised. Organizations relying on trivy-action in their CI/CD pipelines may face risks of supply chain attacks, data breaches, and disruption of automated security scanning processes. The impact is particularly critical for organizations with complex workflows that incorporate user inputs or third-party data into trivy-action inputs. However, the requirement for attacker-controlled input and the need for high privileges to modify workflows somewhat limit the exploitability scope.

The primary mitigation is to upgrade aquasecurity/trivy-action to version 0.34.0 or later, which contains the patch that properly escapes shell inputs or removes the vulnerable sourcing mechanism. Organizations should audit all GitHub workflows using trivy-action to identify if any user-controlled or untrusted inputs are passed to the action inputs that are written to `trivy_envs.txt`. Restrict permissions on who can modify workflows to prevent unauthorized injection of malicious inputs. Avoid passing untrusted data into action inputs that influence environment variables or shell commands. Consider implementing additional runtime protections such as GitHub Actions runner isolation and secrets scanning. Review and harden CI/CD pipeline security policies to minimize exposure to supply chain threats. Monitoring for unusual runner activity and logs can help detect exploitation attempts. Finally, educate developers and DevOps teams about secure usage of GitHub Actions and environment variable handling.