Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1830
published 1 week, 4 days ago
Permalink CVE-2026-40963
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: DAG authorization bypass on /ui/structure/structure_data

apache-airflow
  • <3.2.2
NIXPKGS-2026-1829
published 1 week, 4 days ago
Permalink CVE-2026-10229
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 1 week, 4 days ago by @LeSuisse Activity log

Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_meshes heap-based overflow

Assimp
  • ==6.0.4
  • ==6.0.3
  • ==6.0.1
  • ==6.0.2
  • ==6.0.0
NIXPKGS-2026-1828
published 1 week, 4 days ago
Permalink CVE-2026-45360
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: Arbitrary import in custom deadline-reference deserialization

apache-airflow
  • <3.2.2
NIXPKGS-2026-1827
published 1 week, 4 days ago
Permalink CVE-2026-41014
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints

apache-airflow
  • <3.2.2
NIXPKGS-2026-1826
published 1 week, 4 days ago
Permalink CVE-2026-42360
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking

apache-airflow
  • <3.2.2
NIXPKGS-2026-1825
published 1 week, 4 days ago
Permalink CVE-2026-42252
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern

apache-airflow
  • <3.2.2
NIXPKGS-2026-1824
published 1 week, 4 days ago
Permalink CVE-2026-40861
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler

apache-airflow
  • <3.2.2
NIXPKGS-2026-1822
published 1 week, 4 days ago
Permalink CVE-2026-41017
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy

apache-airflow
  • <3.2.2
NIXPKGS-2026-1821
published 1 week, 4 days ago
Permalink CVE-2026-45426
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access

apache-airflow
  • <3.2.2
NIXPKGS-2026-1823
published 1 week, 4 days ago
Permalink CVE-2026-41084
updated 1 week, 4 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 5 days ago
  • @LeSuisse accepted 1 week, 5 days ago
  • @LeSuisse published on GitHub 1 week, 4 days ago

Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation

apache-airflow
  • <3.2.2