LiveActive security incident?Get immediate response
CVE Record

CVE-2026-33634: Trivy ecosystem supply chain briefly compromised

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.

CriticalCVSS 9.4Known exploitedUpdated
Glexia's TakeHuman reviewedcritical

Security readout for executives and security teams

Plain-English summary

This was a confirmed supply-chain compromise affecting Trivy releases and related GitHub Actions. Malicious versions could steal secrets from CI/CD environments. If your organization ran the affected Trivy binary, container image, or Aqua Security actions during the March 19–20 window, treat accessible pipeline secrets as exposed.

Executive priority

Treat this as an urgent CI/CD incident response item, not routine patching. Prioritize organizations using Trivy in automated pipelines because stolen build secrets can enable broader compromise across source code, cloud, and deployment systems.

Technical view

A compromised credential enabled publication of malicious Trivy v0.69.4, force-pushed tags for aquasecurity/trivy-action versions 0.0.1–0.34.2, and replaced setup-trivy tags 0.2.0–0.2.6 before safe recreation. Sources also list LiteLLM 1.82.7–1.82.8 and telnyx-python 4.87.1–4.87.2 advisories connected to the broader campaign.

Likely exposure

Exposure is most likely in GitHub Actions or build systems that referenced mutable Aqua Security tags, pulled Trivy v0.69.4, or used affected related packages. The highest risk is theft of repository, cloud, package registry, and deployment secrets available to those workflows.

Exploitation context

This is not just a theoretical flaw; the source bundle describes a real malicious release and tag replacement incident. CISA KEV is listed as false, so do not treat it as KEV-confirmed exploitation. The practical concern is whether compromised components executed in your environment.

Researcher notes

Evidence indicates credential rotation after an earlier disclosure was not atomic, allowing possible continued attacker access. The affected surface includes mutable GitHub Action tags and a malicious Trivy release. Avoid assuming safety based only on version tags; validate commit references, execution history, and secret exposure paths.

Mitigation direction

  • Remove Trivy v0.69.4 and affected artifacts from caches, registries, and build images.
  • Move trivy-action to version 0.35.0 or vendor-designated safe guidance.
  • Use Trivy binary versions 0.69.2 or 0.69.3 where applicable.
  • Use setup-trivy 0.2.6 only after confirming it references the recreated safe commit.
  • Rotate all secrets accessible to affected workflows if compromise is possible.
  • Pin GitHub Actions to full immutable commit SHAs, not mutable version tags.

Validation and detection

  • Inventory workflows using aquasecurity/trivy-action or aquasecurity/setup-trivy.
  • Check whether Trivy v0.69.4 was pulled or executed from any source.
  • Review March 19–20, 2026 workflow logs for affected tag usage.
  • Search GitHub organizations for repositories named tpcp-docs.
  • Check package inventories for LiteLLM 1.82.7–1.82.8 and telnyx-python 4.87.1–4.87.2.
  • Review vendor advisories for any updated indicators, safe versions, or additional scope.
Prepared
Reviewed
Confidence
high
Sources
9

Michael Williams reviewed this cited source version on .

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-506: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-33634 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.4 (4.0)
Known Exploited
Yes
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
14Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.4CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

9.4Critical
CVSS 4.0 vector shape for CVE-2026-33634Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
aquasecuritysetup-trivy< 0.2.6Listed
aquasecuritytrivy-action< 0.35.0Listed
aquasecuritytrivy= 0.69.4Listed
BerriAILiteLLM>= 1.82.7, <= 1.82.8Listed
team-telnyxtelnyx>= 4.87.1, <= 4.87.2Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-506 · source CWE mapping

Embedded Malicious Code

Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.