Nixpkgs security tracker
Permalink
CVE-2026-34214
7.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON
Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.
References
-
https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644 x_refsource_CONFIRM
-
https://github.com/trinodb/trino/releases/tag/480 x_refsource_MISC
Affected products
trino
- ==>= 439, < 480
Matching in nixpkgs
pkgs.trino-cli
Trino CLI provides a terminal-based, interactive shell for running queries
pkgs.python312Packages.trino-python-client
Client for the Trino distributed SQL Engine
pkgs.python313Packages.trino-python-client
Client for the Trino distributed SQL Engine
pkgs.python314Packages.trino-python-client
Client for the Trino distributed SQL Engine
Package maintainers
-
@flokli Florian Klink <flokli@flokli.de>
-
@cpcloud Phillip Cloud
-
@regadas Filipe Regadas <oss@regadas.email>