Description
An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path
Published: 2026-07-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in SQLite before the code change identified by check-in 869a51ae84df allows a local attacker to obtain sensitive data by exploiting the Session Extension changeset concat/changegroup merge path. The flaw is a buffer over‑read that can expose confidential information stored in the database to the user executing the database. The primary impact is that an attacker with local file system access may read data they are not authorized to see, potentially compromising data confidentiality and integrity.

Affected Systems

The vulnerability affects the SQLite database engine, specifically any application that uses a version released prior to the mentioned check-in. No vendor or product name beyond SQLite is provided in the CVE data.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium‑to‑high severity vulnerability. Exploit probability is uncertain because the EPSS score is not available, and it is not listed in CISA’s KEV catalog, suggesting no publicly known exploits at this time. An attacker would need local access and the ability to manipulate the Session Extension changeset merge path; the attack remains local and requires some privilege to write or command the database engine.

Generated by OpenCVE AI on July 9, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SQLite to a version that includes check-in 869a51ae84df or later.
  • If an immediate update is not possible, limit local user privileges on the system so that only trusted users can access the SQLite database files.
  • Monitor the database for abnormal Session Extension changes and investigate any unauthorized modifications.

Generated by OpenCVE AI on July 9, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title SQLite Local Information Disclosure via Session Extension Merge Path

Wed, 08 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Sqlite
Sqlite sqlite
Vendors & Products Sqlite
Sqlite sqlite

Wed, 08 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AC:L/AV:L/A:H/C:L/I:N/PR:N/S:U/UI:R'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-08T20:12:52.184Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50813

cve-icon Vulnrichment

Updated: 2026-07-08T20:12:18.793Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:30:13Z

Weaknesses