Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-42276
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
updated 2 weeks, 1 day ago by @mweinelt Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @mweinelt ignored
    10 packages
    • onyx
    • fontcronyxcyrillic
    • font-cronyx-cyrillic
    • xorg.fontcronyxcyrillic
    • python312Packages.ekey-bionyxpy
    • python313Packages.ekey-bionyxpy
    • python314Packages.ekey-bionyxpy
    • typstPackages.onyx-itu-unofficial
    • typstPackages.onyx-itu-unofficial_0_1_0
    • home-assistant-component-tests.ekeybionyx
    2 weeks, 1 day ago
  • @mweinelt dismissed (not in Nixpkgs) 2 weeks, 1 day ago
Onyx: IDOR in /chat/stop-chat-session allows any authenticated user to interrupt other users chat sessions

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An attacker who knows a chat session UUID can kill another user's LLM generation mid-stream. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.

Affected products

onyx
  • ==< 3.0.9
  • ==>= 3.1.0, < 3.1.6
  • ==>= 3.2.0, < 3.2.6
Ignored packages (10)