CVE-2020-26273 [Medium] | Code Injection in Osquery

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-21	0.11%	0.23%	+0.12%
2	2025-11-21	0.19%	0.11%	-0.08%
3	2025-11-18	—	0.19%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-21

0.11%

0.23%

+0.12%

2025-11-21

0.19%

0.11%

-0.08%

2025-11-18

—

0.19%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.2	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.0	2.7	[email protected]
5.2	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.0	2.7	[email protected]
3.6	2.0	LOW	`AV:L/AC:L/Au:N/C:P/I:P/A:N` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	3.9	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.2

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.0

2.7

[email protected]

5.2

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.0

2.7

[email protected]

3.6

2.0

LOW

AV:L/AC:L/Au:N/C:P/I:P/A:N Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

3.9

4.9

[email protected]

Affected software / configurations for CVE-2020-26273

Vendor	Product	Version	Raw CPE
linuxfoundation	osquery	< 4.6.0	cpe:2.3:a:linuxfoundation:osquery::::::::

References for CVE-2020-26273

URL	Tags
https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c	Patch Third Party Advisory
https://github.com/osquery/osquery/releases/tag/4.6.0	Release Notes Third Party Advisory
https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8	Exploit Third Party Advisory
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension	Exploit Third Party Advisory

URL

CVE-2020-26273 | sqlite ATTACH allows some filesystem access

Public exploit references (Exploit-DB) for CVE-2020-26273

Exploit prediction scoring system (EPSS) score for CVE-2020-26273

Common vulnerability scoring system (CVSS) metrics for CVE-2020-26273

Weakness enumeration for CVE-2020-26273

Affected software / configurations for CVE-2020-26273

References for CVE-2020-26273