CVE-2026-26189

MediumRCE

Published: 19 February 2026

Published

19 February 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0009 25.5th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26189 is a medium-severity OS Command Injection (CWE-78) vulnerability in Aquasec Trivy Action. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of the command injection flaw by upgrading the vulnerable aquasecurity/trivy-action to the patched version 0.34.0.

SI-10 Information Input Validation good match

prevent

Requires validation of user-supplied inputs to the trivy-action to block shell metacharacters and command substitution syntax, preventing injection during the sourcing of trivy_envs.txt.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables scanning of GitHub Actions and workflows for the CVE-2026-26189 vulnerability in trivy-action versions 0.31.0 through 0.33.1 to identify and address usage of affected components.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1677 Poisoned Pipeline Execution Execution

Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.

attack.mitre.org →

Why these techniques?

CVE enables command injection via shell metacharacters in GitHub Actions (Unix shell context, T1059.004) and arbitrary execution in CI/CD pipelines (T1677).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes…

`export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. Version 0.34.0 contains a patch for this issue. The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. Workflows that do not pass attacker-controlled data into `trivy-action` inputs, workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern, and workflows where user input is not accessible are not affected.

Deeper analysisAI

CVE-2026-26189 is a command injection vulnerability (CWE-78) in the aquasecurity/trivy-action GitHub Action, which runs Trivy to scan Docker container images for vulnerabilities. The issue affects versions 0.31.0 through 0.33.1 and stems from improper handling of action inputs when exporting environment variables. Specifically, the action writes lines like `export VAR=<input>` to a `trivy_envs.txt` file based on user-supplied inputs, then sources this file in `entrypoint.sh` without proper shell escaping. This allows attacker-controlled input containing shell metacharacters, such as `$(...)`, backticks, or other command substitution syntax, to be evaluated.

An attacker who can supply input to a consuming GitHub Actions workflow—such as through access to user-controlled data—can exploit the vulnerability by injecting malicious payloads into any action input written to `trivy_envs.txt`. Successful exploitation leads to arbitrary command execution within the context of the GitHub Actions runner. The CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N) reflects a network-vector attack requiring high privileges and high attack complexity, with high impacts on confidentiality and integrity but no availability impact. Workflows not passing attacker-controlled data, those upgraded to patched versions, or those without accessible user input are unaffected.

Mitigation involves upgrading to version 0.34.0, which patches the issue by properly escaping shell values or eliminating the `source ./trivy_envs.txt` pattern. The GitHub security advisory (GHSA-9p44-j4g5-cfx5) and related commits detail the fix, confirming that affected workflows should avoid passing untrusted inputs to the action until patched.