CVE-2026-34041

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34041
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34041.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34041
Aliases
Downstream
Related
Published
2026-03-31T01:43:25.074Z
Modified
2026-04-08T08:00:17.789013Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
act: Unrestricted set-env and add-path command processing enables environment injection
Details

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34041.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-74"
    ]
}
References

Affected packages

Git / github.com/nektos/act

Affected ranges

Type
GIT
Repo
https://github.com/nektos/act
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e71313c826e8636eac974ba709dd60e02eef41bd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.2.86"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.19
v0.2.2
v0.2.20
v0.2.21
v0.2.22
v0.2.23
v0.2.24
v0.2.25
v0.2.26
v0.2.27
v0.2.28
v0.2.29
v0.2.3
v0.2.30
v0.2.31
v0.2.32
v0.2.33
v0.2.34
v0.2.35
v0.2.36
v0.2.37
v0.2.38
v0.2.39
v0.2.4
v0.2.40
v0.2.41
v0.2.42
v0.2.43
v0.2.44
v0.2.45
v0.2.46
v0.2.47
v0.2.48
v0.2.49
v0.2.5
v0.2.50
v0.2.51
v0.2.52
v0.2.53
v0.2.54
v0.2.55
v0.2.56
v0.2.57
v0.2.58
v0.2.59
v0.2.6
v0.2.60
v0.2.61
v0.2.62
v0.2.63
v0.2.64
v0.2.65
v0.2.66
v0.2.67
v0.2.68
v0.2.69
v0.2.7
v0.2.70
v0.2.71
v0.2.72
v0.2.73
v0.2.74
v0.2.75
v0.2.76
v0.2.77
v0.2.78
v0.2.79
v0.2.8
v0.2.80
v0.2.81
v0.2.82
v0.2.83
v0.2.84
v0.2.85
v0.2.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34041.json"