CVE-2026-53759

LOWPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases

Summary

The SQLite databases are created at predictable (static) paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target. This becomes really dangerous for the scripts which can be executed as root with sudo. With this, an attacker can write to abitrary paths.

PoC

The docker-stats check command here as an example. Because writing to /tmp is the default behaviour, the other check commands which use a SQLite database are also very likely affected.
# Create the symlink as nagios user
nagios@test-server:/tmp$ ln -s /root/nagios-was-here /tmp/linuxfabrik-monitoring-plugins-docker-stats.db

Trigger the execution nagios user

nagios@test-server:/tmp$ sudo /usr/lib64/nagios/plugins/docker-stats
Check whether or not file was created.
root@test-server:/# file /root/nagios-was-here
/root/nagios-was-here: SQLite 3.x database, last written using SQLite version 3046001, file counter 2, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 2

Impact

In it's basic form, this vulnerbility can lead to a denial of service, impacting users who use the provided sudoers file and who didn't take any special precautions like systemd's PrivateTemp. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).

If any application on the server relies on a SQLite database, there are scenarios where this vulnerability allows for content in existing SQLite databases to be modified. An attacker could let the symlink point to an existing SQLite database and create in /tmp a specially-crafted SQLite Rollback Journal (.db-journal) or Write-Ahead-Log (.db-wal), which is then applied to the database.

Fix

A proposed fix would be to create a separate directory inside /tmp per user (e.g., /tmp/linuxfabrik-monitoring-plugins-{os.geteuid()}). After creating this directory (or using an already existing one), check the following:
# Use os.lstat() instead of os.stat() so we don't accidentally follow symlinks
dir_stat = os.lstat(TMP_DIR_PATH)

Ensure the directory is a real dir and not a Symlink

if not stat.S_ISDIR(dir_stat.st_mode): # abort the execution sys.exit(1)

Verify the owner

if dir_stat.st_uid != os.getuid(): # abort the execution sys.exit(1)

Verify the permissions

if (dir_stat.st_mode & 0o077) != 0: # abort the execution sys.exit(1)

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 6, 2026

Last Modified

July 6, 2026

Vendor Advisories for CVE-2026-53759(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 20:37 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-53759?
CVE-2026-53759 is a low vulnerability published on July 6, 2026. Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases Summary The SQLite databases are created at predictable (static) paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks…
When was CVE-2026-53759 disclosed?
CVE-2026-53759 was first published in the National Vulnerability Database on July 6, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-53759?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53759, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53759

Explore →

Is Your Infrastructure Affected by CVE-2026-53759?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.