Skip to main content

Nixpkgs EUVDEUVD-2026-44690

| CVE-2026-61828 HIGH
Incorrect Default Permissions (CWE-276)
2026-07-15 GitHub_M
8.5
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Any local account can log in as MySQL root over the socket, so AV:L/AC:L/PR:L/UI:N with full C/I/A over the database; scope unchanged as impact stays within the DBMS.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:46 vuln.today
Analysis Generated
Jul 15, 2026 - 15:46 vuln.today
CVE Published
Jul 15, 2026 - 14:52 cve.org
HIGH 8.5

DescriptionCVE.org

Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05.

AnalysisAI

Local privilege escalation to MySQL root in the NixOS services.mysql module (Nixpkgs, before the 25.11 and 26.05 channel fixes) lets any unprivileged local account - including web, CGI, or other service processes on the same host - authenticate as the database root@localhost user with no password when the module is deployed with the mysql or percona-server package. Because the module initialized root@localhost without socket or password authentication, the DBMS trusted any local connection as root, granting full read/write control over all databases. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain unprivileged local process (web/CGI)
Delivery
Reach MySQL Unix socket
Exploit
Connect as root@localhost without password
Execution
Authenticate as DB root
Impact
Read/modify all databases and create privileged accounts

Vulnerability AssessmentAI

Exploitation Requires an existing local, unprivileged foothold on the host (per CVSS AV:L/PR:L) AND the NixOS services.mysql module deployed with the mysql (Oracle MySQL) or percona-server package on a channel prior to the 25.11/26.05 fix, with root@localhost still on default password/native authentication rather than auth_socket. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, score 8.5) is internally consistent with the description: local vector, low complexity, low privileges (any local account) yielding high confidentiality, integrity, and availability impact over the database. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker controlling a low-privilege local process - for example an exploited PHP/CGI web worker running as the www or nobody user on a NixOS host running services.mysql with the mysql package - simply runs 'mysql -u root' over the local socket and is accepted as root@localhost with no password. From there they read or modify every database, create new privileged DB accounts, or abuse MySQL file/UDF features to escalate further. …
Remediation Vendor-released patch: update Nixpkgs/NixOS to the fixed 25.11 or 26.05 channel and rebuild, applying the services.mysql module change that sets root@localhost to auth_socket authentication for mysql and percona-server (see advisory GHSA-6qxx-6rg8-c4p8 and PR https://github.com/NixOS/nixpkgs/pull/534254). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running NixOS with the mysql or percona-server module by reviewing /etc/nixos/configuration.nix and nix-channel --list output to determine Nixpkgs version status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy