Bug 2453285 (CVE-2026-34041)

Summary: CVE-2026-34041 act: github.com/nektos/act: act: Privilege escalation and arbitrary code execution via environment variable injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in act, a project that allows local execution of GitHub Actions. This vulnerability arises from the unconditional processing of deprecated workflow commands, specifically ::set-env:: and ::add-path::, which were previously disabled due to environment injection risks. A remote attacker can exploit this by injecting these commands when a workflow step echoes untrusted data to standard output. This allows the attacker to set arbitrary environment variables or modify the system's execution path for all subsequent steps within the job, potentially leading to privilege escalation or arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2454355, 2454356, 2454357    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-31 03:02:35 UTC 
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.