Potential Supply Chain Compromise Trivy Vulnerability CVE-2026-33634 in Harbor
search cancel

Potential Supply Chain Compromise Trivy Vulnerability CVE-2026-33634 in Harbor

book

Article ID: 435755

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Management

Issue/Introduction

  • A supply chain compromise involving the Trivy container image used within Harbor registry deployments.
  • While this is not an inherent vulnerability in VMware or Harbor code, the risk involves the potential execution of a malicious upstream payload if the environment pulled a compromised image SHA-256 digest during the attack window.

Environment

TKGm 2.5.x

Cause

A supply chain compromise of the upstream Trivy container image, where malicious code was injected into the build pipeline of the third-party scanner utilized by Harbor.

Resolution

To assess the active runtime state of your cluster, execute the following diagnostic command:

  • Querying as a StatefulSet

    kubectl get statefulset -n <harbor-namespace> -l component=trivy -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.template.spec.containers[0].image}{"\n"}{end}'

    Querying via Pods

    kubectl get pods -n <harbor-namespace> -l component=trivy -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}{end}'

    (Note: replace <your-harbor-namespace> with your actual namespace, such as tanzu-system-registry or harbor)

  • If the output matches a vulnerable version or compromised SHA (as detailed in CVE-2026-33634):

      • We strongly advise immediately engaging your internal Information Security and Incident Response teams to evaluate the environment.

      • Your internal security team should dictate the appropriate incident response and remediation strategy.

      • This discussion may include reviewing deployment configurations (e.g., pinning the trivy-adapter to a known-safe version) and executing standard credential rotation procedures for any potentially exposed environment variables or tokens.

  • If the output indicates an unaffected version:

      • This suggests your Kubernetes runtime did not pull the compromised upstream container and is not impacted by this specific attack vector.

      • However, we still recommend providing this information to your internal security team to assist with their ongoing risk assessment and audit efforts regarding this CVE.

 

Additional Information

Refer below external link for more information:

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Powered by Wolken Software