CISA Adds Critical Aquasecurity Trivy Scanner Vulnerability to KEV Catalog
CISA has urgently added a critical flaw affecting Aquasecurity’s Trivy scanner to its Known Exploited Vulnerabilities (KEV) catalog under tracking identifier CVE-2026-33634.
This security weakness involves embedded malicious code specifically targeting continuous integration and continuous deployment (CI/CD) environments, as categorized under CWE-506.
Due to Trivy’s widespread native use within DevOps pipelines, successful exploitation presents a severe global supply chain risk.
When triggered, the flaw enables threat actors to bypass access controls, achieving total visibility into the CI/CD environment. This grants them the ability to sweep memory spaces and operational configurations for high-value secrets.
The impact is extensive: compromised Trivy instances can harvest sensitive development tokens, SSH keys, primary cloud infrastructure credentials, and backend database passwords. Since scanners require deep system access, compromising Trivy effectively hands attackers keys to the entire software development life cycle.
While active exploitation in ransomware campaigns remains unconfirmed, the data exfiltration potential makes this highly lucrative for advanced persistent threats and initial access brokers.
CISA maintains the KEV catalog as the authoritative source of actively exploited flaws to help network defenders prioritize vulnerability management.
Adding CVE-2026-33634 on March 26, 2026, CISA has mandated a strict compliance deadline. Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by April 9, 2026.
Immediate application of mitigations per the vendor’s explicit instructions is required for all organizations.
Security teams managing cloud-based CI/CD pipelines must also follow the applicable guidance in Binding Operational Directive (BOD) 22-01.
If patches or mitigations are unavailable in a specific environment, CISA advises administrators to completely discontinue Trivy use until it can be securely remediated.