Home / Vulnerability Intelligence / CVE-2026-33634

CVE-2026-33634 - Vulnerability Analysis

N/a

Last Updated: March 24, 2026

Aqua Security Trivy - Supply Chain Attack

Published: March 23, 2026Updated: March 24, 2026PoC Available

Overview

Aqua Security Trivy v0.69.4, trivy-action 0.0.1–0.34.2, and setup-trivy 0.2.0–0.2.6 contain a supply chain attack caused by compromised credentials allowing malicious code injection in releases and GitHub Actions, letting attackers steal credentials and exfiltrate secrets, exploit requires compromised credentials.

Severity & Score

Severity: N/a

EPSS Score: 4.3%(Probability of exploitation in next 30 days)

Impact

Attackers can steal credentials and exfiltrate secrets, leading to full compromise of affected pipelines and environments.

Mitigation

Update to Trivy versions 0.69.2 or 0.69.3, trivy-action 0.35.0, and setup-trivy 0.2.6 with safe commits; rotate all exposed secrets and pin GitHub Actions to immutable commit SHAs

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 24, 2026

CVE-2026-33634: CRITICAL supply chain vuln in aquasecurity Trivy & GitHub Actions (<0.2.6) — credential-stealing malware deployed. Rotate all secrets, use safe versions, audit logs for 'tpcp-docs'. Full details: https://radar.offseq.com/threat/cve-2026-33634-cwe-506-embedded-malicious-code-in--163a34d0 #OffSeq #SupplyChain #CVE2026_33634

View original post

Related Resources

Details

CVE ID: CVE-2026-33634
Severity: N/a
Type: supply_chain_attack
Status: unconfirmed
EPSS: 4.3%
Social Posts: 1

CWE

CWE-506

CVSS Metrics

N/A

EPSS Score

4.3%Probability of exploitation in the next 30 days