The vulnerability resides in the local workflow runner "act" which unconditionally processes deprecated ::set-env:: and ::add-path:: commands. If a workflow step echoes untrusted data to stdout, those commands can be injected to set arbitrary environment variables or alter the PATH for all subsequent steps. This creates an opportunity for an attacker to influence the execution environment of later steps, potentially enabling execution of malicious code or altering program behavior. The weakness is a classic form of input parsing flaw described by CWE‑74.

Affected are installations of the nektos act tool prior to version 0.2.86. The advisory states that starting with release 0.2.86 the processing of ::set-env:: and ::add-path:: commands has been removed, mitigating the risk. Any environment running older releases should be considered vulnerable.

The CVSS score of 7.7 classifies the issue as high severity, reflecting the potential impact of environment manipulation. The EPSS score indicates less than 1% likelihood of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. However, the attack vector requires an attacker to supply or influence untrusted input echoed within a workflow step; therefore, any CI pipeline that accepts untrusted data is at risk. Exploitation would be straightforward for a developer or CI operator with access to the workflow file or its inputs, making the risk moderate to high in such settings.