Severity by source
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Local-only exploitation requiring a low-privilege account, an active carve window (timing dependency), and admin-initiated carve; confidentiality-only impact with no data modification or availability loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.
AnalysisAI
File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires four concurrent conditions: (1) the attacker holds a local unprivileged account (PR:L) on the host running osquery; (2) a file carve must be actively in progress - triggered by an administrator or automated query schedule (UI:R); (3) the attacker must have read access to the osquery temporary carve directory (the core permission gap) or control over the carve target directory (AC:H); and (4) the attacker must act within the carve's active window before temporary files are deleted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.4 Medium (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) correctly characterises this as a local, high-complexity, confidentiality-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged attacker on a monitored host waits for an osquery administrator to schedule or trigger a file carve. During the carve operation, the attacker polls or watches the osquery temporary working directory and reads the carve contents - which may include configuration files, credentials, or other sensitive data - before cleanup occurs. … |
| Remediation | Upgrade to osquery 5.23.1, which corrects the carve directory permissions at creation time. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
osquery before version 4.4.0 enables a privilege escalation vulnerability. Rated high severity (CVSS 8.2), this vulnerab
An issue was discovered in osquery. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, lo
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Rated medium severity (C
Incorrect validation of the TLS SNI hostname in osquery versions after 2.9.0 and before 4.2.0 could allow an attacker to
In some configurations an attacker can inject a new executable path into the extensions.load file for osquery and hard l
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM
Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a m
Same weakness CWE-279 – Incorrect Execution-Assigned Permissions
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42916