2453285 – (CVE-2026-34041) CVE-2026-34041 act: github.com/nektos/act: act: Privilege escalation and arbitrary code execution via environment variable injection

Bug 2453285 (CVE-2026-34041) - CVE-2026-34041 act: github.com/nektos/act: act: Privilege escalation and arbitrary code execution via environment variable injection

Summary: CVE-2026-34041 act: github.com/nektos/act: act: Privilege escalation and arbi...

Keywords:
Status:	NEW
Alias:	CVE-2026-34041
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2454355 2454356 2454357
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-31 03:02 UTC by OSIDB Bzimport
Modified:	2026-04-02 14:22 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-31 03:02:35 UTC

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.

Note You need to log in before you can comment on or make changes to this bug.