6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-3055 is a critical out-of-bounds read vulnerability affecting NetScaler ADC and NetScaler Gateway. The flaw can lead to memory disclosure in systems configured as a SAML Identity Provider.
An unauthenticated remote attacker can exploit this vulnerability to read sensitive data from memory, including session information, authentication tokens, and other security-relevant data processed by the appliance. This exposure may enable session hijacking, authentication bypass scenarios, or further compromise of affected environments.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Supply Chain Compromise in Trivy and Related GitHub Actions
CVSS Score: 9.4 (Critical, CVSS v3.1)
Identifier: CVE-2026-33634
PoC or Exploitation:
CVE-2026-33634 is associated with real-world compromise activity. Attackers successfully published a malicious release of Trivy and modified GitHub Action tags, leading to active exploitation in CI/CD environments.
Update/ Patch:
Affected components include:
- Trivy v0.69.4
- trivy-action versions prior to 0.35.0
- setup-trivy versions prior to the fixed 0.2.6 release
Safe versions include:
- Trivy v0.69.2 and v0.69.3
- trivy-action v0.35.0
- setup-trivy v0.2.6 (recreated safe release)
Organizations should remove compromised versions and update immediately to the safe releases.
Patch and advisory guidance:
Description:
CVE-2026-33634 is a supply chain compromise affecting Trivy and associated GitHub Actions used in CI/CD pipelines. Attackers leveraged compromised credentials to publish a malicious Trivy release and manipulate GitHub Action tags.
This allowed downstream users to unknowingly execute malicious code within their CI/CD workflows. The malicious code was designed to exfiltrate sensitive information from affected environments.
Successful exploitation could result in exposure of GitHub tokens, cloud credentials, SSH keys, container registry credentials, and other secrets accessible to the pipeline.
Mitigation Recommendation:
Immediately remove and replace any affected Trivy binaries, container images, and GitHub Actions references with known safe versions.
Treat all secrets used in affected CI/CD pipelines as compromised and rotate them immediately.
Review CI/CD pipeline execution logs for suspicious activity during the exposure window.
Pin GitHub Actions to immutable commit SHAs instead of version tags to prevent similar supply chain attacks.
Restrict and audit access to CI/CD systems and credentials to minimize exposure and enforce least privilege.
