nixos/mysql : `services.mysql` is configured with insecure authentication by default when used with `mysql` or `percona-server`
Summary
| CVE | CVE-2026-61828 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-15 16:16:50 UTC |
| Updated | 2026-07-15 20:49:41 UTC |
| Description | Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05. |
Risk And Classification
Primary CVSS: v4.0 8.5 HIGH from [email protected]
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-276 | CWE-276 CWE-276: Incorrect Default Permissions
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.5 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.5 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/NixOS/nixpkgs/pull/534484 | [email protected] | github.com | |
| github.com/NixOS/nixpkgs/pull/534482 | [email protected] | github.com | |
| github.com/NixOS/nixpkgs/commit/f8ee41468a7a8f9ed3a8cc7d017151c2ca6f90b5 | [email protected] | github.com | |
| github.com/NixOS/nixpkgs/commit/3f68d7ad2a6865ff8b4910d89f173d7258bad8dd | [email protected] | github.com | |
| github.com/NixOS/nixpkgs/security/advisories/GHSA-6qxx-6rg8-c4p8 | [email protected] | github.com | |
| github.com/NixOS/nixpkgs/commit/4aed47116a8734922763cd8f477467b0a0bcd6d7 | [email protected] | github.com | |
| github.com/NixOS/nixpkgs/pull/534254 | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.