Nixpkgs security tracker
Dismissed
(not in Nixpkgs)
Permalink
CVE-2026-44501
4.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
DataHub OIDC REDIRECT_URL Cookie Deserialization Vulnerability
DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the GET /callback/oidc endpoint. Successful exploitation requires a valid user account in the configured OIDC identity provider This vulnerability is fixed in 1.5.0.3.
References
Affected products
datahub
- ==< 1.5.0.3
Matching in nixpkgs
pkgs.python312Packages.cryptodatahub
Repository of cryptography-related data
pkgs.python313Packages.cryptodatahub
Repository of cryptography-related data
pkgs.python314Packages.cryptodatahub
Repository of cryptography-related data
Package maintainers
-
@phanirithvij Phani Rithvij <phanirithvij2000@gmail.com>
-
@wegank Weijia Wang <contact@weijia.wang>
-
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
-
@eljamm Fedi Jamoussi <fedi.jamoussi@protonmail.ch>
-
@ethancedwards8 Ethan Carter Edwards <ethan@ethancedwards.com>