Key Takeaway
CVE-2026-33634 is an embedded malicious code vulnerability in Aqua Security's Trivy scanner that exfiltrates CI/CD secrets—including cloud credentials, SSH keys, API tokens, and database passwords—from any pipeline where affected versions execute. The flaw operates with the permissions Trivy already holds during normal pipeline execution, requiring no privilege escalation. CISA has added this to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of April 9, 2026.
CVE-2026-33634: Aqua Security Trivy Contains Embedded Malicious Code Targeting CI/CD Secrets
CVE ID: CVE-2026-33634 Vendor: Aqua Security Product: Trivy (vulnerability scanner) CISA KEV Patch Deadline: April 9, 2026
Vulnerability Overview
CVE-2026-33634 identifies an embedded malicious code vulnerability in Aqua Security's Trivy, a widely deployed open-source vulnerability scanner used in CI/CD pipelines across enterprise and cloud-native environments. The flaw allows an attacker to execute unauthorized code within the build environment where Trivy runs, exfiltrating sensitive data accessible at runtime.
This is a supply chain compromise at the tooling layer. Unlike misconfiguration or logic bugs, embedded malicious code means the threat is baked into the software artifact itself—executed automatically when Trivy runs as part of a normal pipeline job.
Technical Details
Vulnerability Class: Embedded Malicious Code (CWE-506) Attack Vector: Local / CI/CD pipeline execution context Privileges Required: None beyond what Trivy itself requires to run User Interaction: None — triggers on normal Trivy execution
The malicious code embedded in affected Trivy versions targets the runtime memory and environment of the process, harvesting:
- CI/CD environment variables — including pipeline secrets, API tokens, and webhook credentials
- SSH private keys — accessible in the build agent's filesystem or SSH agent
- Cloud provider credentials — AWS IAM keys, GCP service account tokens, Azure managed identity tokens
- Database connection strings and passwords
- Any sensitive configuration loaded into memory during the scan job
Because Trivy is typically granted broad read access to container images, filesystems, and runtime environments to perform its scanning function, the malicious code operates with elevated effective permissions. A compromised Trivy instance does not need to escalate privileges—it already has access to the data it needs to exfiltrate.
The exfiltration mechanism harvests credentials from the environment where Trivy executes, which in most CI/CD architectures means the malicious code runs with the same permissions as the pipeline agent. In GitHub Actions, GitLab CI, Jenkins, CircleCI, and similar platforms, this includes access to all secrets injected into the pipeline context.
Real-World Impact
Trivy is one of the most widely adopted vulnerability scanners in cloud-native pipelines. Organizations using Trivy to scan container images, Kubernetes configurations, or infrastructure-as-code during build stages are directly affected.
A successful exploitation scenario proceeds as follows:
- A developer or automated pipeline pulls an affected Trivy version and executes a scan.
- The embedded malicious code runs silently alongside the legitimate scan.
- All accessible secrets—cloud keys, database credentials, SSH keys, tokens—are exfiltrated to an attacker-controlled endpoint.
- The attacker uses harvested cloud credentials to access production infrastructure, data stores, or container registries.
- Downstream artifacts built during compromised pipeline runs may themselves be tampered with or contain injected backdoors.
The blast radius extends beyond the build system. Cloud credentials obtained from a CI/CD environment typically grant access to production resources. SSH keys can enable lateral movement to servers. Database passwords can expose customer data. A single compromised Trivy execution can cascade into a full production breach.
CISA has added CVE-2026-33634 to the Known Exploited Vulnerabilities (KEV) catalog and mandates that federal agencies remediate by April 9, 2026. Non-federal organizations operating critical infrastructure or handling sensitive data should treat this deadline as a reference point for their own remediation timelines.
Affected Versions
Confirm the specific affected versions against Aqua Security's official security advisory before taking remediation action. Do not rely solely on this advisory to determine version scope—Aqua Security's published guidance is the authoritative source for which Trivy releases carry the malicious code.
Remediation and Mitigation
Step 1: Identify and remove affected Trivy deployments immediately. Audit all CI/CD pipelines, container images, Kubernetes jobs, and developer workstations running Trivy. Cross-reference installed versions against Aqua Security's advisory. Remove affected versions from all pipeline stages before performing any new scans.
Step 2: Rotate all credentials that may have been exposed. Assume any secret accessible to a pipeline that ran an affected Trivy version is compromised. This includes:
- AWS IAM access keys and secret keys
- GCP service account JSON credentials
- Azure service principal credentials
- GitHub, GitLab, and other VCS tokens
- SSH private keys stored on build agents
- Database passwords and connection strings
- Webhook secrets and API tokens
Rotation must happen before the attacker uses harvested credentials, which means treating this as an active incident, not a scheduled maintenance task.
Step 3: Review cloud audit logs and CI/CD logs for unauthorized access. Query AWS CloudTrail, GCP Cloud Audit Logs, and Azure Activity Logs for API calls made with credentials that were present in affected pipelines. Look for:
- Access from unexpected IP ranges
- API calls outside normal operational patterns
- New IAM users, roles, or service accounts created
- Data exfiltration events from storage buckets or databases
Review CI/CD platform audit logs for unexpected outbound network connections from build agents during the period when affected Trivy versions were in use.
Step 4: Assess downstream artifact integrity. Any container images, packages, or binaries built during pipeline runs that used compromised Trivy versions should be treated as potentially tampered. Verify artifact signatures where available. If integrity cannot be confirmed, rebuild affected artifacts from source using a clean pipeline and replace deployed versions.
Step 5: Upgrade to a clean Trivy release. Once affected versions are identified, upgrade to a Trivy release confirmed clean by Aqua Security. Verify the integrity of the new Trivy binary using published checksums or signatures before reintroducing it to pipelines.
Step 6: Implement pipeline security controls to prevent recurrence.
- Pin tool versions using verified checksums in all pipeline definitions.
- Restrict outbound network access from build agents to known-good endpoints.
- Implement secrets scanning and anomaly detection on pipeline environment variables.
- Require code review and approval for changes to pipeline tooling versions.
References
- Aqua Security Trivy official security advisory (consult vendor directly for affected version list)
- CISA Known Exploited Vulnerabilities Catalog: CVE-2026-33634
- CISA KEV remediation deadline: April 9, 2026
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.