CVE-2026-33634
BaseFortify
Publication date: 2026-03-23
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| telnyx | telnyx | 4.87.1 |
| telnyx | telnyx | 4.87.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a supply chain attack on the Trivy security scanner and its related GitHub Actions. On March 19, 2026, an attacker used compromised credentials to publish a malicious version (v0.69.4) of Trivy, force-push most version tags of the aquasecurity/trivy-action repository to credential-stealing malware, and replace all tags in aquasecurity/setup-trivy with malicious commits.
The attack was possible because credential rotation was not atomic, allowing the attacker to retain access during the rotation window and execute the attack. The compromised versions include Trivy v0.69.4, trivy-action versions 0.0.1 to 0.34.2 (except one), and setup-trivy versions 0.2.0 to 0.2.6 before a safe commit was recreated.
Users who pulled or executed these compromised versions may have had their secrets exposed and should immediately rotate all secrets accessible to affected pipelines and remove any affected artifacts.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure and theft of sensitive credentials and secrets used in your development and deployment pipelines.
If a compromised version of Trivy or its GitHub Actions was used in your environment, attackers could have stolen secrets, potentially allowing unauthorized access to your systems, data, or infrastructure.
This could result in further compromise, data breaches, or unauthorized actions within your environment.
- Immediate secret rotation is necessary if there is any chance the compromised versions were used.
- Affected artifacts and workflows should be removed or updated to safe versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, review your environment for usage of affected versions of Trivy and related GitHub Actions. Specifically, check if Trivy v0.69.4 was pulled or executed, and if workflows use aquasecurity/trivy-action versions 0.0.1 to 0.34.2 or aquasecurity/setup-trivy versions 0.2.0 to 0.2.6 prior to the safe commit.
Examine workflow run logs from March 19β20, 2026 for signs of compromise, especially if version tags rather than full commit SHAs were used.
Look for repositories named 'tpcp-docs' in your GitHub organization, as their presence may indicate successful exfiltration of secrets.
Suggested commands include searching your CI/CD logs and repositories for usage of the affected versions and suspicious repositories. For example, use git commands to check tags and commits in your workflows, and GitHub API or CLI to list repositories and workflow runs.
What immediate steps should I take to mitigate this vulnerability?
Immediately remove any affected artifacts such as Trivy v0.69.4 and vulnerable versions of aquasecurity/trivy-action and aquasecurity/setup-trivy from your environment.
Rotate all secrets accessible to affected pipelines, treating them as exposed.
Review all workflows using the affected GitHub Actions and pin them to full, immutable commit SHA hashes instead of mutable version tags.
Check for the presence of suspicious repositories like 'tpcp-docs' that may indicate exfiltration and take appropriate incident response actions.
Use known safe versions: Trivy binary versions 0.69.2 and 0.69.3, trivy-action version 0.35.0, and setup-trivy version 0.2.6 with the safe commit.