Home/CVE/Aquasecurity Trivy Embedded Malicious Code Vulnerability
CVE

CVE-2026-33634

Aquasecurity Trivy Embedded Malicious Code Vulnerability

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026.

Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack.

Affected components include the aquasecurity/trivy Go / Container image version 0.69.4, the aquasecurity/trivy-action GitHub Action versions 0.0.1 - 0.34.2 (76/77), and theaquasecurity/setup-trivy GitHub Action versions 0.2.0 - 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets.

If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately.

Review all workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19-20, 2026 for signs of compromise. Look for repositories named tpcp-docs in one's GitHub organization.

The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.

HIGH · CVSS 8.8 ⚠ CISA KEV EPSS 0.23896
Act now
  • Listed on CISA KEV (known exploited in the wild)
  • SSVC exploitation status: active
  • EPSS ≥ 0.10 - elevated exploitation probability
  • EPSS percentile: top 4% of all CVEs by exploitation likelihood
  • Public exploit or PoC is available
  • CVSS base score ≥ 7.0
Sigma rules0 YARA rules0

Required Remediation

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weakness Classification

CWE-506Embedded Malicious Code

Affected Products & Versions

5
aquasec setup-trivy< 0.2.6
aquasec trivyall versions
aquasec trivy action< 0.35.0
litellmall versions
telnyxall versions

Affected Packages

3
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
GitHub Actions aquasecurity/setup-trivy CRITICAL fixed in 0.2.6
GitHub Actions aquasecurity/trivy-action CRITICAL fixed in 0.35.0
Go github.com/aquasecurity/trivy

Public Exploits & PoCs

2
pocgithub.com · GHSA-69fq-xp46-6x23github.com
pocrosesecurity.dev · typosquatting-trivy.htmlrosesecurity.dev

Scoring & Timeline

8.8
HIGH · CVSS v3.1 · security-advisories@github.com
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD23 Mar 2026 · 10:16 PM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC triage · cisa-vulnrichment
Exploitation
active
Automatable
no
Technical impact
total
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

Vendor Advisories

1
cisaKEV-CVE-2026-33634
🔗

References & Sources

12
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://docs.litellm.ai/blog/security-update-march-2026Third Party Advisory
https://futuresearch.ai/blog/litellm-pypi-supply-chain-attackThird Party Advisory
https://github.com/BerriAI/litellm/issues/24518Issue TrackingMitigationThird Party Advisory
https://github.com/aquasecurity/trivy/discussions/10425Issue TrackingVendor Advisory
https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yamlThird Party Advisory
https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jcThird Party Advisory
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin