Aquasecurity: CISA Adds Aquasecurity Trivy Scanner Vulnerability to KEV Catalog

Critical Trivy Scanner Vulnerability Added to CISA’s Exploited Flaws Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33634, a severe vulnerability in Aquasecurity’s Trivy scanner, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, classified under CWE-506 (embedded malicious code), allows threat actors to compromise CI/CD pipelines by exploiting the security tool itself.

The vulnerability stems from malicious code embedded in Trivy’s architecture, turning a trusted scanning utility into a vector for unauthorized access. If exploited, attackers can extract authentication tokens, SSH keys, cloud credentials, and database passwords from memory during scans. Since Trivy requires elevated permissions for deep container and infrastructure-as-code (IaC) analysis, successful exploitation grants full control over the development environment.

CI/CD pipelines are prime targets for supply chain attacks, as compromised environments enable attackers to distribute malicious updates directly to end users, bypassing traditional security measures. CISA has set a remediation deadline of April 9, 2026, for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01, though private organizations are urged to act with equal urgency.

Aquasecurity has released patches, but if unavailable, CISA advises discontinuing Trivy’s use to mitigate risk. Beyond patching, security teams must rotate all exposed credentials including cloud tokens, SSH keys, and database passwords and audit cloud environments for suspicious activity, as the flaw’s memory exposure may have already led to breaches.

Source: https://cybersecuritynews.com/aquasecurity-trivy-scanner-vulnerability/

Aqua Security cybersecurity rating report: https://www.rankiteo.com/company/aquasecteam

"id": "AQU1774671948",
"linkid": "aquasecteam",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Users of Trivy scanner, '
                                              'including Federal Civilian '
                                              'Executive Branch (FCEB) '
                                              'agencies and private '
                                              'organizations',
                        'industry': 'Cybersecurity',
                        'name': 'Aquasecurity',
                        'type': 'Cybersecurity Company'}],
 'attack_vector': 'Embedded Malicious Code in Security Tool',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Authentication tokens, SSH keys, '
                                             'cloud credentials, database '
                                             'passwords'},
 'description': 'CISA has added CVE-2026-33634, a severe vulnerability in '
                'Aquasecurity’s Trivy scanner, to its Known Exploited '
                'Vulnerabilities (KEV) catalog. The flaw allows threat actors '
                'to compromise CI/CD pipelines by exploiting the security tool '
                'itself, enabling extraction of authentication tokens, SSH '
                'keys, cloud credentials, and database passwords from memory '
                'during scans.',
 'impact': {'data_compromised': 'Authentication tokens, SSH keys, cloud '
                                'credentials, database passwords',
            'operational_impact': 'Full control over development environment, '
                                  'potential distribution of malicious updates',
            'systems_affected': 'CI/CD pipelines, development environments'},
 'post_incident_analysis': {'corrective_actions': 'Patch management, '
                                                  'credential rotation, cloud '
                                                  'environment audits',
                            'root_causes': 'Embedded malicious code in Trivy’s '
                                           'architecture (CWE-506)'},
 'recommendations': 'Patch Trivy immediately, rotate exposed credentials, '
                    'audit cloud environments, discontinue use if patches are '
                    'unavailable',
 'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
                           'catalog'}],
 'regulatory_compliance': {'regulations_violated': 'Binding Operational '
                                                   'Directive (BOD) 22-01 (for '
                                                   'FCEB agencies)',
                           'regulatory_notifications': 'CISA KEV catalog '
                                                       'addition'},
 'response': {'containment_measures': 'Discontinue Trivy’s use if patches are '
                                      'unavailable',
              'recovery_measures': 'Audit cloud environments for suspicious '
                                   'activity',
              'remediation_measures': 'Apply Aquasecurity’s patches, rotate '
                                      'all exposed credentials (cloud tokens, '
                                      'SSH keys, database passwords)'},
 'title': 'Critical Trivy Scanner Vulnerability Added to CISA’s Exploited '
          'Flaws Catalog',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'CVE-2026-33634 (CWE-506)'}

Aquasecurity: CISA Adds Aquasecurity Trivy Scanner Vulnerability to KEV Catalog

NYC Health + Hospitals: Data Breach Alert: Edelson Lechtzin LLP Investigates New York City Health and Hospitals Corporation Data Breach

Corewell Health and Pinnacle Holdings LTD: Thousands of Corewell Health patients affected by security breach

Information Commissioner’s Office: The Microsoft 365 Built-In Security Feature: Microsoft Purview