Back to overview

CVE-2026-61828

HIGH
8.5
CVSS 4.0
Description
Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05.

Metadata

CVE ID
CVE-2026-61828
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-10 20:17 UTC
Published
2026-07-15 14:52 UTC
Last updated
2026-07-15 16:32 UTC
Primary CWE
CWE-276
CWE-276: Incorrect Default Permissions
Vendor / Product
NixOS / nixpkgs
Sources
cve.org  ·  NVD

Severity & Metrics

8.5 HIGH CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
NixOS nixpkgs < 25.11, >= 26.05-beta, < 26.05
Weakness (CWE)
CWESourceDescription
CWE-276 cna CWE-276: Incorrect Default Permissions
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.5 HIGH 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (7)
Back to overview