Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed

Permalink CVE-2026-3739

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

updated 1 week, 6 days ago by @mweinelt Activity log

Created automatic suggestion 1 week, 6 days ago
@mweinelt removed
7 packages
- mautrix-gmessages
- ayatana-indicator-messages
- graylogPlugins.filter-messagesize
- python312Packages.teamcity-messages
- python313Packages.teamcity-messages
- python314Packages.teamcity-messages
- chickenPackages_5.chickenEggs.messages
1 week, 6 days ago
@mweinelt dismissed 1 week, 6 days ago

suitenumerique messages ThreadAccess serializers.py ThreadAccessSerializer improper authentication

A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the function ThreadAccessSerializer of the file src/backend/core/api/serializers.py of the component ThreadAccess. The manipulation results in improper authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.3.0 is capable of addressing this issue. The patch is identified as d7729f4b885449f6dee3faf8b5f2a05769fb3d6e. The affected component should be upgraded.

References

VDB-349717 | suitenumerique messages ThreadAccess serializers.py ThreadAccessSerializer improper authentication vdb-entry technical-description
VDB-349717 | CTI Indicators (IOB, IOC, IOA) signature permissions-required
Submit #767329 | La Suite Numerique messages 0.2.0 IDOR third-party-advisory
https://github.com/suitenumerique/messages/security/advisories/GHSA-7476-6crq-4… exploit
https://github.com/suitenumerique/messages/pull/557 issue-tracking patch
https://github.com/suitenumerique/messages/commit/d7729f4b885449f6dee3faf8b5f2a… patch
https://github.com/suitenumerique/messages/releases/tag/v0.3.0 patch
https://github.com/suitenumerique/messages/ product

Affected products

messages

==0.3.0
==0.2.0

Ignored packages (7)

pkgs.mautrix-gmessages

Matrix-Google Messages puppeting bridge

nixos-unstable 25.11
- nixpkgs-unstable 25.11
- nixos-unstable-small 25.11
nixos-25.11 25.11
- nixos-25.11-small 25.11
- nixpkgs-25.11-darwin 25.11

pkgs.ayatana-indicator-messages

Ayatana Indicator Messages Applet

nixos-unstable 24.5.1
- nixpkgs-unstable 24.5.1
- nixos-unstable-small 24.5.1
nixos-25.11 24.5.1
- nixos-25.11-small 24.5.1
- nixpkgs-25.11-darwin 24.5.1

pkgs.graylogPlugins.filter-messagesize

Prints out all messages that have an estimated size crossing a configured threshold during processing

nixos-unstable 0.0.2
- nixpkgs-unstable 0.0.2
- nixos-unstable-small 0.0.2
nixos-25.11 0.0.2
- nixos-25.11-small 0.0.2
- nixpkgs-25.11-darwin 0.0.2

pkgs.python312Packages.teamcity-messages

Python unit test reporting to TeamCity

nixos-25.11 1.33
- nixos-25.11-small 1.33
- nixpkgs-25.11-darwin 1.33

pkgs.python313Packages.teamcity-messages

Python unit test reporting to TeamCity

nixos-unstable 1.33
- nixpkgs-unstable 1.33
- nixos-unstable-small 1.33
nixos-25.11 1.33
- nixos-25.11-small 1.33
- nixpkgs-25.11-darwin 1.33

pkgs.python314Packages.teamcity-messages

Python unit test reporting to TeamCity

nixos-unstable 1.33
- nixpkgs-unstable 1.33
- nixos-unstable-small 1.33

pkgs.chickenPackages_5.chickenEggs.messages

Creating algebraic- and abstract-types based on vectors

nixos-unstable 0.7
- nixpkgs-unstable 0.7
- nixos-unstable-small 0.7
nixos-25.11 0.7
- nixos-25.11-small 0.7
- nixpkgs-25.11-darwin 0.7

Not in nixpkgs