Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0911

NIXPKGS-2026-0911
published 2 months, 3 weeks ago
Permalink CVE-2026-34214
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @LeSuisse ignored
    3 packages
    • python312Packages.trino-python-client
    • python313Packages.trino-python-client
    • python314Packages.trino-python-client
    2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.

Affected products

trino
  • ==>= 439, < 480

Matching in nixpkgs

pkgs.trino-cli

Trino CLI provides a terminal-based, interactive shell for running queries

  • nixos-unstable 476
    • nixpkgs-unstable 476
    • nixos-unstable-small 476
Ignored packages (3)

Package maintainers

Advisory: https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644