{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34041", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T15:29:04.744Z", "datePublished": "2026-03-31T01:43:25.074Z", "dateUpdated": "2026-03-31T01:43:25.074Z"}, "containers": {"cna": {"title": "act: Unrestricted set-env and add-path command processing enables environment injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw"}, {"name": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a", "tags": ["x_refsource_MISC"], "url": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a"}, {"name": "https://github.com/nektos/act/releases/tag/v0.2.86", "tags": ["x_refsource_MISC"], "url": "https://github.com/nektos/act/releases/tag/v0.2.86"}], "affected": [{"vendor": "nektos", "product": "act", "versions": [{"version": "< 0.2.86", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:43:25.074Z"}, "descriptions": [{"lang": "en", "value": "act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86."}], "source": {"advisory": "GHSA-xmgr-9pqc-h5vw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86."}, {"lang": "es", "value": "act es un proyecto que permite la ejecuci\u00f3n local de acciones de GitHub. Antes de la versi\u00f3n 0.2.86, act procesa incondicionalmente los comandos de flujo de trabajo obsoletos ::set-env:: y ::add-path::, lo cual fue deshabilitado debido a riesgos de inyecci\u00f3n de entorno. Cuando un paso de flujo de trabajo hace eco de datos no confiables a stdout, un atacante puede inyectar estos comandos para establecer variables de entorno arbitrarias o modificar la variable PATH para todos los pasos subsiguientes en el trabajo. Este problema ha sido parcheado en la versi\u00f3n 0.2.86."}], "id": "CVE-2026-34041", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:58.053", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a"}, {"source": "security-advisories@github.com", "url": "https://github.com/nektos/act/releases/tag/v0.2.86"}, {"source": "security-advisories@github.com", "url": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.86)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "act", "source": "cna", "vendor": "nektos"}, "product": "act", "vendor": "nektos"}], "analysis": {"en": {"generated_at": "2026-03-31T05:53:27.332195+00:00", "value": {"mitigation_remediation": ["Upgrade act to version 0.2.86 or newer", "Verify that deprecated ::set-env:: and ::add-path:: commands are no longer processed during workflow execution", "Review recent workflow run logs for any unexpected environment command output"], "summary": {"action": "Patch", "impact": "Environment injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nektos:act tool. All releases earlier than version 0.2.86 are impacted. Versions 0.2.86 and later contain a patch that disables the processing of deprecated environment commands.", "description_and_impact": "Act allows local execution of GitHub Actions and, before version 0.2.86, it processes the deprecated ::set-env:: and ::add-path:: workflow commands without validation. When an untrusted workflow step echoes data to standard output, an attacker can inject these commands. The injected commands set arbitrary environment variables or modify the PATH for subsequent steps in the job, enabling an attacker to influence the execution environment of later actions.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.7, indicating medium\u2011high severity. EPSS data is unavailable and the issue is not cataloged in CISA\u2019s KEV. The likely attack vector requires an attacker to supply malicious workflow code that prints the set\u2011env or add\u2011path commands to stdout, thereby injecting environment configuration changes that persist across the job. Successful exploitation can lead to privilege escalation or arbitrary code execution within the runner environment."}}}}, "created": "2026-03-31T19:56:27.712109+00:00", "updated": "2026-03-31T20:39:38.205913+00:00", "vendors": ["nektos", "nektos$PRODUCT$act"]}