CVE-2026-61828 PUBLISHED

nixos/mysql : `services.mysql` is configured with insecure authentication by default when used with `mysql` or `percona-server`

Assigner: GitHub_M
Reserved: 10.07.2026 Published: 15.07.2026 Updated: 15.07.2026

Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the same host, to log in as the root user without a password when the service is used with mysql or percona-server. This issue is fixed in the 25.11 and 26.05.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Product Status

Vendor NixOS
Product nixpkgs
Versions
  • Version < 25.11 is affected
  • Version >= 26.05-beta, < 26.05 is affected

References

Problem Types

  • CWE-276: Incorrect Default Permissions CWE