Zero Day MonitorZDM

← Back to list

—

CVE-2026-34041EXPLOITEDPATCHED

go · github.com/nektos/act

act: Unrestricted set-env and add-path command processing enables environment injection

Description

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.

Affected Products

Vendor	Product	Versions
go	github.com/nektos/act	< 0.2.86

References

https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw(x_refsource_CONFIRM)
https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a(x_refsource_MISC)
https://github.com/nektos/act/releases/tag/v0.2.86(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-34041 | nektos act prior 0.2.86 set-env/add-path injection

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch availablenull

CWECWE-74

PublishedMar 27, 2026

Last enriched2d agov2

Tags

GHSA-xmgr-9pqc-h5vwgoCVE-2026-34041

Trending Score32

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33032EXP

Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover

MEDIUMCVE-2026-33027EXP

Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

HIGHCVE-2026-33028EXP

Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

MEDIUMCVE-2026-33990

Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF)

HIGHCVE-2026-33030

Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 27, 2026

Discovered by ZDM

Mar 27, 2026

Updated: severity, activelyExploited, patchAvailable, tags

Mar 28, 2026

Actively Exploited

Mar 31, 2026

Patch Available

Mar 31, 2026

Version History

v2

Last enriched 2d ago

v2Tier C2d ago

Updated severity to CRITICAL, marked exploit as not available, and added new CVE ID CVE-2026-34041.

severityactivelyExploitedpatchAvailabletags

via VulDB

v13d ago

Initial creation