Supply Chain Vulnerability in Aqua Security Trivy and GitHub Actions
CVE-2026-33634
Key Information:
- Vendor
Aquasecurity
- Vendor
- CVE Published:
- 23 March 2026
Badges
What is CVE-2026-33634?
CVE-2026-33634 is a high-severity supply chain vulnerability impacting Aqua Security's Trivy, a popular open-source security scanner used for container images and infrastructure as code. This vulnerability emerged when threat actors compromised credentials to publish a malicious release of Trivy (version 0.69.4) on March 19, 2026. The malicious release included credential-stealing malware within the GitHub Actions associated with Aqua Security, specifically aquasecurity/trivy-action and aquasecurity/setup-trivy. This security incident highlights a critical flaw in credential management, as the attacker was able to leverage valid tokens during a window created by a non-atomic credential rotation, allowing them to exfiltrate sensitive information as security measures were implemented. Organizations utilizing affected components face a substantial risk of data breaches, unauthorized access, and further exploitation if the vulnerability is not promptly addressed.
Potential impact of CVE-2026-33634
-
Credential Theft: The vulnerability allows attackers to compromise secret credentials during the rotation process, leading to the potential theft of sensitive information. This exfiltration can provide further access to organizational systems, amplifying the severity of the breach.
-
Malicious Code Execution: By disseminating a malicious version of Trivy, attackers can execute harmful code within environments using affected components. This could lead to malware installation or other nefarious actions that compromise the integrity and security of development and operational pipelines.
-
Supply Chain Compromise: Organizations reliant on Aqua Security's tools face a direct threat to their software supply chain integrity. The ability for an attacker to manipulate a widely used security tool raises concerns not only for the immediate victim but also for the broader community relying on the reliability of the infrastructure and security practices established by open-source projects.
CISA has reported CVE-2026-33634
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-33634 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
LiteLLM >= 1.82.7, <= 1.82.8
setup-trivy < 0.2.6
telnyx >= 4.87.1, <= 4.87.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
20% chance of being exploited in the next 30 days.
CVSS V4
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π¦
CISA Reported
Vulnerability published
Vulnerability Reserved