Skip to main content

osquery CVE-2026-46388

| EUVDEUVD-2026-42916 MEDIUM
Incorrect Execution-Assigned Permissions (CWE-279)
2026-07-10 GitHub_M
4.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.4 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
4.4 MEDIUM

Local-only exploitation requiring a low-privilege account, an active carve window (timing dependency), and admin-initiated carve; confidentiality-only impact with no data modification or availability loss.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 17:01 EUVD
Analysis Generated
Jul 10, 2026 - 16:16 vuln.today

DescriptionCVE.org

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.

AnalysisAI

File carve operations in osquery prior to 5.23.1 expose sensitive data due to world-readable temporary directory permissions, allowing a local unprivileged attacker to read carve contents during the collection window. If the carve targets a directory the attacker controls, the impact extends to arbitrary local file reads. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local unprivileged shell access
Delivery
Wait for admin-initiated file carve
Exploit
Access world-readable temporary carve directory
Execution
Read sensitive carve contents
Impact
Exfiltrate data before cleanup completes

Vulnerability AssessmentAI

Exploitation Exploitation requires four concurrent conditions: (1) the attacker holds a local unprivileged account (PR:L) on the host running osquery; (2) a file carve must be actively in progress - triggered by an administrator or automated query schedule (UI:R); (3) the attacker must have read access to the osquery temporary carve directory (the core permission gap) or control over the carve target directory (AC:H); and (4) the attacker must act within the carve's active window before temporary files are deleted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.4 Medium (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) correctly characterises this as a local, high-complexity, confidentiality-only issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged attacker on a monitored host waits for an osquery administrator to schedule or trigger a file carve. During the carve operation, the attacker polls or watches the osquery temporary working directory and reads the carve contents - which may include configuration files, credentials, or other sensitive data - before cleanup occurs. …
Remediation Upgrade to osquery 5.23.1, which corrects the carve directory permissions at creation time. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy