CVE-2026-61828 in nixpkgs
Summary
by MITRE • 07/15/2026
Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability exists within the Nixpkgs ecosystem where the MySQL service module in NixOS fails to properly secure database initialization procedures. The flaw allows local privilege escalation through unauthorized root access without authentication, creating a critical security risk for systems utilizing mysql or percona-server packages. The issue stems from improper default configuration during database setup that permits passwordless root login access.
The technical implementation of this vulnerability involves the MySQL service module's initialization process which does not adequately enforce secure default settings. When NixOS provisions a MySQL service using the affected Nixpkgs versions, it creates an insecure configuration where the root user account is accessible without password authentication. This misconfiguration allows any local unprivileged user to gain administrative access to the database system.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables potential data theft, modification, or deletion operations with full administrative privileges. Attackers leveraging this flaw could compromise sensitive database information, manipulate application data, or establish persistent access points within the system. The vulnerability particularly affects web applications running on the same host that utilize MySQL databases, making it a significant concern for shared hosting environments or multi-tenant systems.
This issue maps to CWE-798 (Use of Hard-coded Credentials) and CWE-259 (Use of Password in Cleartext) within the Common Weakness Enumeration framework, representing hardcoded security flaws and improper credential management. From an ATT&CK perspective, this vulnerability enables privilege escalation techniques under T1068 (Local Potentially Privileged Execution) and credential access through T1566 (Phishing for Credentials). The vulnerability also relates to T1210 (Exploitation of Remote Services) when exploited in environments where web applications interact with local MySQL instances.
Mitigation strategies include upgrading to NixOS channel versions 25.11 or 26.05 where the fix has been implemented, manually configuring secure database initialization procedures, and implementing additional access controls such as firewall rules limiting database connectivity. Organizations should also conduct immediate vulnerability assessments to identify systems running affected versions and ensure that root accounts are properly secured with strong authentication mechanisms. The fix addresses the root cause by implementing proper database initialization that enforces password requirements for administrative accounts and prevents automatic passwordless root access during service setup.