CVE-2026-44029
Deferred Deferred - Pending Action
Directory Traversal in Nix Package Manager

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: MITRE

Description
An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44029
EUVD
EUVD-2026-27166
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nix nix From 2.24.4 (inc)
lix lix From 2.93.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44029 is an absolute path traversal vulnerability in the Nix package manager versions 2.24.7 and later. It occurs when using commands like "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" to unpack archives. The vulnerability allows writing files to arbitrary locations on the filesystem outside the intended extraction directory if the archive contains entries with absolute paths.

This means that an attacker who can supply a crafted archive to these commands could cause files to be written anywhere on the system, potentially overwriting important files.

The issue was fixed in versions 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7.

Impact Analysis

This vulnerability can impact you by allowing an attacker to write files to arbitrary locations on your system when you use the vulnerable Nix commands to unpack archives. This could lead to unauthorized modification of files, potentially compromising system integrity.

While the vulnerability does not directly affect confidentiality or availability, it impacts integrity by allowing low-level unauthorized file writes.

Users are advised to avoid running the vulnerable commands on untrusted inputs to mitigate the risk.

Detection Guidance

This vulnerability involves directory traversal when using the commands "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" which can write to arbitrary files outside the intended extraction root.

To detect if your system is vulnerable, you can check the installed Nix version to see if it is older than the fixed versions (2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7).

There are no explicit detection commands provided in the resources, but you can verify the Nix version by running:

  • nix --version

Additionally, monitoring usage of the vulnerable commands with unpack options on untrusted inputs may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Nix to one of the fixed versions: 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7.

Until you can upgrade, avoid running the vulnerable commands "nix-prefetch-url --unpack" and "nix store prefetch-file --unpack" on untrusted or potentially malicious archives.

Restrict access to the Nix daemon to only trusted users, as exploitation requires local access and permissions to connect to the daemon.

Consider monitoring and limiting daemon connections and applying any additional security controls to reduce the risk of local privilege escalation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart