CISA has added CVE-2026-33634 to its Known Exploited Vulnerabilities catalogue. The entry covers Aquasecurity Trivy, a widely deployed open-source vulnerability scanner used in containerised and cloud-native CI/CD pipelines. The Aquasecurity Trivy Embedded Malicious Code Vulnerability allows a threat actor to gain complete access to authentication credentials and sensitive configuration data residing within continuous integration and continuous deployment environments.
The flaw constitutes a supply-chain compromise characterised by embedded malicious code within the product. It carries a CVSS score of 9.4, classified as Critical. Successful exploitation permits attackers to harvest authentication tokens, SSH keys, cloud provider credentials, database passwords, and sensitive in-memory configuration from affected build pipelines.
Security teams should note that this vulnerability potentially impacts multiple downstream products and environments where Trivy integrates across the software development lifecycle. Patch availability remains unconfirmed at this time.
CISA has confirmed active exploitation of this vulnerability in the wild. The agency has not attributed this activity to any specific ransomware campaign. Federal Civilian Executive Branch agencies must complete remediation by 9 April 2026.
CISA requires affected organisations to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. This binding operational directive applies directly to FCEB agencies. All organisations deploying Trivy within their software supply chains should immediately assess their exposure, review all vendor-provided guidance to ensure full remediation, and implement appropriate defensive measures.
Consult the NVD entry and CISA KEV catalogue for complete technical details and guidance.