theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-33634

CISA KEV

Published March 26, 2026 · Updated April 3, 2026

high

What This Means

**CVE-2026-33634: Malicious Code in Aquasecurity Trivy** Aquasecurity Trivy contains embedded malicious code that exfiltrates secrets from CI/CD environments—tokens, SSH keys, cloud credentials, and database passwords—giving attackers complete access to your build pipeline and downstream infrastructure. Any system running affected Trivy versions will expose all in-memory sensitive data to the threat actor. **Immediate Actions:** 1. Audit all Trivy deployments; identify affected versions and remove them from CI/CD pipelines immediately. 2. Rotate all credentials, API tokens, SSH keys, and cloud service account credentials that may have been accessible during Trivy execution. 3. Review CI/CD logs and cloud audit trails for unauthorized access or lateral movement originating from build systems. 4. Monitor for supply-chain compromises—check if downstream artifacts built with compromised Trivy were signed or distributed. Confirm the malicious version with Aquasecurity's advisory before patching, as this affects the integrity of your entire artifact pipeline.

Official Description+

Aquasecurity Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.

Affected Products

VendorProduct
AquasecurityTrivy

Patch Status

Patch by 2026-04-09

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-33634.

Related Coverage

Vvulnerability

CVE-2026-33634: Aqua Security Trivy Contains Embedded Malicious Code Targeting CI/CD Secrets

CVE-2026-33634 is an embedded malicious code vulnerability in Aqua Security's Trivy scanner that exfiltrates CI/CD secrets—including cloud credentials, SSH keys, API tokens, and database passwords—from any pipeline where affected versions execute. The flaw operates with the permissions Trivy already holds during normal pipeline execution, requiring no privilege escalation. CISA has added this to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of April 9, 2026.

CISA KEV·8d ago·4 min read