CVE-2026-33634: Trivy Compromised

Trivy, the vulnerability scanner from Aqua Security, has a supply chain vulnerability. CVE-2026-33634 lets attackers inject malicious code into the scanner itself. It's now on CISA's Known Exploited Vulnerabilities list — active exploitation confirmed.

The problem: your security scanner might not be telling the truth.

What a compromised Trivy can do

• Miss vulnerabilities it should flag
• Exfiltrate sensitive data from your containers
• Add backdoors while scanning
• Give attackers persistent access

Anyone using Trivy for container security is at risk: DevOps teams, security engineers, cloud-native environments.

Why this is worse than a normal CVE

The false sense of security is the real damage. You think your scans are working, but the scanner itself is compromised. You probably won't notice until something else goes wrong.

Data breaches, compliance failures, and having to tell clients "our security scanner was compromised" — that conversation doesn't go well.

What to do

Today:

• Find every system running Trivy
• Stop trusting recent scan results from affected versions

This week:

• Update to patched Trivy versions
• Verify downloads came from official sources
• Run an alternative scanner on critical systems
• Manually review recent scan results

Next 2-4 weeks:

• Update CI/CD pipelines with clean Trivy
• Start using multiple scanning tools (defense in depth)
• Add verification steps for third-party tool updates

Going forward:

• Treat security tools like any other software — verify before trusting
• Use SBOMs to track what's in your tools
• Monitor tool behavior for anything unusual

This is a supply chain attack where the tool designed to protect you becomes the attack vector. Update Trivy now.