CVE-2026-34041

Name of the Vulnerable Software and Affected Versions act versions prior to 0.2.86

Description act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled due to environment injection risks. When a workflow step echoes untrusted data to standard output, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act less secure than GitHub Actions for the same workflow file. Exploitation can occur through malicious pull request titles, branch names, or commit messages if these are echoed to standard output. Successful exploitation can lead to command injection via environment variables like LD PRELOAD, NODE OPTIONS, PYTHONPATH, BASH ENV, and PERL5OPT, PATH hijacking, and cross-step escalation. The vulnerable code resides in pkg/runner/command.go, lines 52-58, where there is no check for the ACTIONS ALLOW UNSECURE COMMANDS environment variable.

Recommendations Update to act version 0.2.86 or later.