The vulnerability identified as CVE-2026-34041 affects the nektos act project, a tool designed to run GitHub Actions workflows locally. Prior to version 0.2.86, act unconditionally processes the deprecated workflow commands ::set-env:: and ::add-path::. These commands were disabled in GitHub Actions due to environment injection risks but remained active in act. When a workflow step outputs untrusted data to stdout, an attacker can inject these commands, which act interprets, allowing them to set arbitrary environment variables or modify the PATH environment variable for all subsequent steps in the job. This improper neutralization of special elements in output (classified under CWE-74) leads to an injection vulnerability that can be exploited remotely without authentication but requires user interaction (running the workflow). The vulnerability affects all versions of act before 0.2.86 and can compromise the confidentiality, integrity, and availability of the local CI/CD environment by enabling malicious code execution or environment manipulation. The issue was publicly disclosed and patched in version 0.2.86. No known exploits in the wild have been reported yet. The CVSS v4.0 score is 7.7 (high), reflecting the ease of exploitation and potential impact. This vulnerability is particularly relevant for developers and organizations using act to test GitHub Actions workflows locally, especially when workflows process untrusted input.

The exploitation of CVE-2026-34041 can have significant impacts on organizations using nektos act for local CI/CD pipeline testing. Attackers can inject malicious environment variables or alter the PATH, potentially leading to execution of arbitrary code in subsequent workflow steps. This compromises the integrity of the build and test environment, possibly allowing attackers to escalate privileges, exfiltrate sensitive information, or disrupt the build process, affecting availability. Since act is used locally, the threat primarily targets developer machines or CI environments that rely on act for testing workflows before deployment. If attackers can supply or influence workflow inputs, they can manipulate the environment to bypass security controls or introduce malicious artifacts. This can lead to supply chain risks if compromised workflows are later pushed to production. The vulnerability’s impact spans confidentiality, integrity, and availability, making it critical for organizations to address promptly to maintain secure development pipelines.

To mitigate this vulnerability, organizations and developers should immediately upgrade nektos act to version 0.2.86 or later, where the processing of deprecated ::set-env:: and ::add-path:: commands has been disabled. Additionally, workflows should be audited to ensure they do not echo untrusted or user-controlled data to stdout, particularly data that could be interpreted as workflow commands. Implement strict input validation and sanitization in workflows to prevent injection of special commands. Avoid using deprecated workflow commands and migrate to the recommended environment variable and path management methods provided by GitHub Actions. Limit the use of act to trusted workflows and environments, and consider isolating local CI/CD testing environments to reduce risk exposure. Monitoring and logging of workflow executions can help detect anomalous environment changes. Finally, educate developers about the risks of injecting untrusted data into workflow outputs.