CVE-2026-34041: act: Unrestricted set-env and add-path command processing enables environment injection
(updated )
act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.
References
- github.com/advisories/GHSA-mfwh-5m23-j46w
- github.com/advisories/GHSA-xmgr-9pqc-h5vw
- github.com/nektos/act
- github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a
- github.com/nektos/act/releases/tag/v0.2.86
- github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw
- nvd.nist.gov/vuln/detail/CVE-2026-34041
Code Behaviors & Features
Detect and mitigate CVE-2026-34041 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →