Nixpkgs Security Tracker

Published

Permalink CVE-2026-25628

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
7 packages
- qdrant-web-ui
- python312Packages.qdrant-client
- python313Packages.qdrant-client
- python314Packages.qdrant-client
- python312Packages.llama-index-vector-stores-qdrant
- python313Packages.llama-index-vector-stores-qdrant
- pkgsRocm.python3Packages.llama-index-vector-stores-qdrant
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

Qdrant affected by arbitrary file write via `/logger` endpoint

Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0.

References

https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f x_refsource_CONFIRM
https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1 x_refsource_MISC
https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195 x_refsource_MISC

Affected products

qdrant

==>= 1.9.3, < 1.16.0

Matching in nixpkgs

pkgs.qdrant

Vector Search Engine for the next generation of AI applications

nixos-unstable 1.16.3
- nixpkgs-unstable 1.16.3
- nixos-unstable-small 1.16.3
nixos-25.11 1.15.5
- nixos-25.11-small 1.15.5
- nixpkgs-25.11-darwin 1.15.5

Package maintainers

@dit7ya Mostly Void <7rat13@gmail.com>

Upstream advisory: https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f
Upstream patch: https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.qdrant

Package maintainers