Protect.Computer
NEWS

CISA adds Trivy CVE-2026-33634 to KEV after supply-chain compromise

· 1 min read · Supply chain Credential theft
CISA adds Trivy CVE-2026-33634 to KEV after supply-chain compromise

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

CISA added CVE-2026-33634 (Aqua Security Trivy embedded malicious code vulnerability) to its Known Exploited Vulnerabilities (KEV) catalog on 2026-03-26.

KEV inclusion means U.S. federal agencies now have a formal remediation deadline (2026-04-09) and private-sector defenders should treat this as an actively exploited, high-priority risk.

This follows the recent Trivy supply-chain incident where compromised components could expose CI/CD secrets and cloud credentials.

Why this matters

Trivy and its related GitHub Action tooling are deeply integrated in build pipelines. If a compromised component runs in CI/CD, an attacker may gain access to:

  • Repository tokens
  • Cloud provider keys
  • SSH material and deployment credentials
  • Secrets loaded during build/test/release jobs

A KEV entry increases operational urgency: defenders should assume attacker interest is high and remediation windows are short.

How to check if you’re affected

Potentially affected environments

  • Organizations using Trivy binaries, containers, or CI integrations during the recent supply-chain incident window.
  • GitHub Actions workflows referencing mutable Trivy action tags or previously affected releases.

Quick verification steps

  1. Inventory Trivy usage across CI/CD

    • Search all repos and pipeline templates for aquasecurity/trivy, trivy-action, and setup-trivy.

  2. Validate what actually executed

    • Review CI job history around the incident period and confirm exact action references (tag vs commit SHA) and artifact digests.

  3. Check for unsafe versions/references

    • Compare your references with vendor guidance and move to known-safe releases/SHAs immediately.

  4. Assume secret exposure if uncertain

    • Rotate GitHub, cloud, registry, and deployment secrets accessible to impacted jobs.

  5. Harden pipeline trust boundaries

    • Pin actions to immutable SHAs, minimize token scopes, and alert on unusual secret access or outbound connections.

Immediate defensive actions

  • Patch/upgrade per Aqua guidance.
  • Rotate all CI/CD secrets that could have been exposed.
  • Re-run sensitive deployment workflows after cleanup with fresh credentials.
  • Add controls to block mutable-tag action usage in production pipelines.

Sources

Bottom line

CISA KEV status for CVE-2026-33634 is a clear escalation signal. If Trivy touches your CI/CD path, validate exposure now, rotate secrets, and enforce immutable dependency pinning before your next release cycle.

Related reading

News
CERT-EU confirms European Commission cloud breach linked to Trivy supply-chain compromise

CERT-EU says attackers used credentials stolen in the Trivy supply-chain incident to access a European Commission AWS account and exfiltrate data affecting multiple EU entities.

News
TrueConf CVE-2026-3502 zero-day abused to push malicious updates from trusted servers

Researchers report active exploitation of CVE-2026-3502 in TrueConf, where attackers can abuse an on-prem server trust path to deliver malicious client updates to connected endpoints.

News
CISA adds Zimbra CVE-2025-66376 to KEV after active exploitation warning

CISA added Synacor Zimbra Collaboration Suite CVE-2025-66376 to the KEV catalog, signaling active exploitation risk and urgent remediation needs.

News
CISA adds F5 BIG-IP CVE-2025-53521 to KEV after active exploitation

CISA added CVE-2025-53521 in F5 BIG-IP to the KEV catalog on March 27, 2026; exposed APM deployments should be triaged and patched immediately.