Skip to content

x/vulndb: potential Go vuln in github.com/nektos/act: GHSA-xmgr-9pqc-h5vw #4891

New issue
New issue
Open
Open
x/vulndb: potential Go vuln in github.com/nektos/act: GHSA-xmgr-9pqc-h5vw#4891
Labels
NeedsTriage
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Mar 27, 2026

Advisory GHSA-xmgr-9pqc-h5vw references a vulnerability in the following Go modules:

Module
github.com/nektos/act

Description:

Summary

act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.

Vulnerable Code

pkg/runner/command.go, lines 52-58:

switch command {
case "set-e...

References:
- ADVISORY: https://github.com/advisories/GHSA-xmgr-9pqc-h5vw
- ADVISORY: https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw
- FIX: https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a
- WEB: https://github.com/advisories/GHSA-mfwh-5m23-j46w
- WEB: https://github.com/nektos/act/releases/tag/v0.2.86

Cross references:
- github.com/nektos/act appears in 1 other report(s):
  - data/reports/GO-2023-1504.yaml    (https://github.com/golang/vulndb/issues/1504)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: github.com/nektos/act
non_go_versions:
- introduced: TODO (earliest fixed "0.2.86", vuln range "<= 0.2.85")
vulnerable_at: 0.2.86
summary: |-
act: Unrestricted set-env and add-path command processing enables environment
injection in github.com/nektos/act
cves:
- CVE-2026-34041
ghsas:
- GHSA-xmgr-9pqc-h5vw
references:
- advisory: GHSA-xmgr-9pqc-h5vw
- advisory: GHSA-xmgr-9pqc-h5vw
- fix: nektos/act@0c739c8
- web: GHSA-mfwh-5m23-j46w
- web: https://github.com/nektos/act/releases/tag/v0.2.86
source:
id: GHSA-xmgr-9pqc-h5vw
created: 2026-03-27T20:01:47.187806823Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsTriage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions