CVE-2026-34041: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nektos act
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.
AI Analysis
Technical Summary
The vulnerability in nektos act (versions before 0.2.86) involves improper neutralization of special elements in output used by a downstream component, specifically the deprecated GitHub Actions workflow commands ::set-env:: and ::add-path::. These commands were disabled due to security risks but were still processed unconditionally by act, allowing an attacker to inject environment variables or alter the PATH by echoing malicious data to stdout during a workflow step. This can affect all subsequent steps in the job. The vulnerability is tracked as CVE-2026-34041 with a CVSS 4.0 score of 7.7 (high severity).
Potential Impact
Exploitation of this vulnerability allows an attacker to inject arbitrary environment variables or modify the PATH environment variable for all subsequent steps in a GitHub Actions workflow run locally via act. This can lead to unexpected behavior or privilege escalation within the workflow execution context. The vulnerability is rated high severity with a CVSS score of 7.7. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been officially patched in nektos act version 0.2.86. Users should upgrade to version 0.2.86 or later to remediate this issue. Since this is not a cloud service, remediation depends on applying the patch. Patch status is confirmed by the vendor advisory stating the issue is fixed in version 0.2.86.
CVE-2026-34041: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nektos act
Description
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nektos act (versions before 0.2.86) involves improper neutralization of special elements in output used by a downstream component, specifically the deprecated GitHub Actions workflow commands ::set-env:: and ::add-path::. These commands were disabled due to security risks but were still processed unconditionally by act, allowing an attacker to inject environment variables or alter the PATH by echoing malicious data to stdout during a workflow step. This can affect all subsequent steps in the job. The vulnerability is tracked as CVE-2026-34041 with a CVSS 4.0 score of 7.7 (high severity).
Potential Impact
Exploitation of this vulnerability allows an attacker to inject arbitrary environment variables or modify the PATH environment variable for all subsequent steps in a GitHub Actions workflow run locally via act. This can lead to unexpected behavior or privilege escalation within the workflow execution context. The vulnerability is rated high severity with a CVSS score of 7.7. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been officially patched in nektos act version 0.2.86. Users should upgrade to version 0.2.86 or later to remediate this issue. Since this is not a cloud service, remediation depends on applying the patch. Patch status is confirmed by the vendor advisory stating the issue is fixed in version 0.2.86.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T15:29:04.744Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cc1e09e6bfc5ba1d33b7f4
Added to database: 3/31/2026, 7:18:33 PM
Last enriched: 4/8/2026, 12:00:32 AM
Last updated: 5/14/2026, 12:06:37 PM
Views: 86
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.