CVE-2026-46388

medium

Description

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.

References

https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh

https://github.com/osquery/osquery/releases/tag/5.23.1

https://github.com/osquery/osquery/pull/8961

https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68

Details

Source: Mitre, NVD

Published: 2026-07-10

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 3.8

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N

Severity: Low

CVSS v3

Base Score: 4.4

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00094