CISA Adds Critical Aqua Security Trivy Scanner Vulnerability CVE-2023-39325 to KEV Catalog
Key Takeaways CISA has added a critical vulnerability, CVE-2026-33634, affecting Aqua Security’s Trivy scanner to its KEV catalog. The flaw, categorized as CWE-506, involves malicious code...
Key Takeaways
- CISA has added a critical vulnerability, CVE-2026-33634, affecting Aqua Security’s Trivy scanner to its KEV catalog.
- The flaw, categorized as CWE-506, involves malicious code embedded within the scanner, allowing attackers to compromise CI/CD pipelines.
- Successful exploitation grants unauthorized access to sensitive data like authentication tokens, SSH keys, cloud credentials, and database passwords.
- Federal agencies must apply remediation by April 9, 2026, and private organizations are strongly advised to follow suit.
- Immediate patching and rotation of all exposed secrets are crucial to mitigate the severe risks posed by this vulnerability.
Critical Trivy Scanner Vulnerability Added to CISA’s KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a significant alert, integrating a severe vulnerability within Aqua Security’s Trivy scanner into its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw, identified as CVE-2026-33634, presents a profound risk to software development supply chains.
Table Of Content
Exploitation of this security defect could enable malicious actors to infiltrate highly sensitive Continuous Integration and Continuous Deployment (CI/CD) environments, compromising the integrity and security of development operations.
Understanding CVE-2026-33634
Designated as an embedded malicious code vulnerability under CWE-506, CVE-2026-33634 stems from the insertion of harmful code directly into the architecture of the Trivy scanner. This transforms what is intended to be a robust security tool into a dangerous vector for attack.
Should an attacker successfully exploit this vulnerability, they can achieve a complete compromise of the CI/CD pipeline where the scanner operates. Given Trivy’s role in scanning containers, infrastructure-as-code, and various codebases, often requiring elevated permissions, this vulnerability essentially provides attackers with unrestricted access to the entire development ecosystem.
Profound Impact on CI/CD Environments
The scope of unauthorized access facilitated by this flaw is extensive. Attackers can exfiltrate critical assets such as authentication tokens, SSH keys, cloud provider credentials, and database passwords. Furthermore, any sensitive configuration data temporarily residing in memory during the scanning process becomes vulnerable to theft.
CI/CD pipelines are the operational backbone of modern software development, making them prime targets for sophisticated supply chain attacks. A threat actor gaining control over these environments can inject malicious updates directly into end-user products, effectively bypassing conventional security defenses and impacting a wide array of downstream systems.
CISA Mandates and Remediation Steps
In response to evidence of active exploitation, CISA has mandated a remediation deadline of April 9, 2026. While this directive primarily applies to Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01, private sector organizations are strongly advised to treat this timeline with equivalent urgency given the severe implications of the vulnerability.
Immediate action is imperative. System administrators must promptly apply all available mitigations from Aqua Security and update to a clean, patched version of the Trivy scanner. If no patches or mitigations are currently available, CISA explicitly recommends discontinuing the use of the product altogether. Operating a compromised scanner poses an unacceptable risk to cloud services and internal network infrastructure.
What You Should Do
- Immediately apply all available patches and updates from Aqua Security for the Trivy scanner.
- If a patch is not available, cease using the Trivy scanner until a secure version can be deployed.
- Assume compromise for all secrets, SSH keys, cloud tokens, and database passwords that may have passed through the scanner’s memory, and rotate them immediately.
- Conduct thorough audits of cloud environments for any unusual API calls or unauthorized access attempts that might indicate the use of stolen credentials.
- Implement robust monitoring within CI/CD pipelines to detect anomalous activities and potential breaches proactively.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.