This vulnerability (CVE-2026-44029) in Nix before version 2.34.7 involves an absolute path traversal (CWE-36) that permits writing to arbitrary files. The flaw is triggered by using the 'nix-prefetch-url --unpack' or 'nix store prefetch-file --unpack' commands, which do not properly sanitize directory paths, allowing directory traversal attacks. Multiple versions from 2.24.7 through 2.34.0 are affected. The vendor has released fixed versions including 2.28.7, 2.29.4, 2.30.5, 2.31.5, 2.32.8, 2.33.6, and 2.34.7 to address this issue. The CVSS 3.1 base score is 5.3, indicating a medium severity vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity loss without confidentiality or availability impact.

An attacker can write to arbitrary files on the system by exploiting directory traversal in specific Nix commands, potentially modifying files without authorization. This could lead to integrity violations but does not affect confidentiality or availability according to the CVSS vector. No known exploits have been reported in the wild.

Fixed versions of Nix have been released starting from 2.28.7 through 2.34.7. Users should upgrade to one of these fixed versions to remediate the vulnerability. Patch status is not explicitly confirmed in the input data, but the presence of fixed versions indicates an official fix is available. No additional vendor advisory content is provided, so users should consult the official NixOS channels for the latest remediation guidance.