Local Authentication Vulnerability in MySQL Services of Nixpkgs by NixOS
CVE-2026-61828

8.5HIGH

Key Information:

Vendor

Nixos

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61828?

The Nixpkgs software repository has a vulnerability that affects MySQL services on NixOS. Due to improper initialization of the MySQL database, local users, including unprivileged web and CGI processes running on the same host, can authenticate as the root user without a password. This could potentially lead to unauthorized access and control over the MySQL instance. Users are advised to upgrade to Nixpkgs versions 25.11 or 26.05 to mitigate this risk.

Affected Version(s)

nixpkgs < 25.11 < 25.11

nixpkgs >= 26.05-beta, < 26.05 < 26.05-beta, 26.05

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.