Nixpkgs security tracker
Permalink
CVE-2026-25628
8.6 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Activity log
- Created suggestion
Qdrant affected by arbitrary file write via `/logger` endpoint
Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0.
References
-
https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f x_refsource_CONFIRM
Affected products
qdrant
- ==>= 1.9.3, < 1.16.0
Matching in nixpkgs
pkgs.qdrant
Vector Search Engine for the next generation of AI applications
pkgs.qdrant-web-ui
Self-hosted web UI for Qdrant
pkgs.python312Packages.qdrant-client
Python client for Qdrant vector search engine
-
nixos-unstable 1.15.1
pkgs.python313Packages.qdrant-client
Python client for Qdrant vector search engine
pkgs.python314Packages.qdrant-client
Python client for Qdrant vector search engine
pkgs.python312Packages.llama-index-vector-stores-qdrant
LlamaIndex Vector Store Integration for Qdrant
-
nixos-unstable 0.6.1
pkgs.python313Packages.llama-index-vector-stores-qdrant
LlamaIndex Vector Store Integration for Qdrant
pkgs.pkgsRocm.python3Packages.llama-index-vector-stores-qdrant
LlamaIndex Vector Store Integration for Qdrant
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@happysalada Raphael Megzari <raphael@megzari.com>
-
@dit7ya Mostly Void <7rat13@gmail.com>
-
@xzfc Albert Safin <xzfcpw@gmail.com>