Databases & Data Services

14 writeups

Replication Integrity Bypass via Lua `redis.set_repl(REPL_NONE)` Enables Silent Data Corruption and Persistent Backdoor Functions on Aiven Managed Valkey

April 15, 2026DoS / data integrity

Valkey replication stealth path bypasses listpack validation.

Read the writeup →

Databases & Data Services

Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL

April 15, 2026Info disclosure

MySQL binlog ACL bypass surfaces replication credentials.

Read the writeup →

Databases & Data Services

Report: aiven_gatekeeper Bypass via Implicitly Castable Argument Types

April 14, 2026Sandbox bypass

aiven_gatekeeper extension bypassed via implicit-cast-driven shadow functions.

Read the writeup →

Databases & Data Services

Report: Unqualified `parse_ident()` in SECURITY DEFINER Function (CVE-2025-31480 Variant)

April 14, 2026Privilege escalation

parse_ident without schema qualification inside SECDEF: variant of CVE-2025-31480 territory.

Read the writeup →

Databases & Data Services

Report: Autovacuum Arbitrary Code Execution via Expression Index Shadow Functions

April 14, 2026Code execution

Autovacuum executes attacker-defined function under the SECURITY_RESTRICTED bypass path.

Read the writeup →

Databases & Data Services

ASLR Bypass via Lua Function Pointer Leak in Aiven Managed Valkey

April 14, 2026Info disclosure

ASLR leak through replication metadata.

Read the writeup →

Databases & Data Services

Report: Superuser Database Connection via SECURITY DEFINER dblink Chain

April 13, 2026Privilege escalation

SECURITY DEFINER + dblink loopback chain reaches an unrestricted superuser session.

Read the writeup →

Databases & Data Services

Report: Privilege Boundary Violation via Subscription Ownership Escalation

April 13, 2026Privilege escalation

Postgres CREATE SUBSCRIPTION executes under session_user=postgres, escalating sandboxed user to superuser context.

Read the writeup →

Databases & Data Services

Authenticated DoS: Karapace REST Proxy Crash via GZIP Compression Bomb in Kafka Messages

April 13, 2026DoS

Karapace REST proxy accepts gzip-compressed messages and decompresses without bounds.

Read the writeup →

Databases & Data Services

Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload

April 13, 2026DoS / OOM

Unbounded allocation in Dragonfly's stream RESTORE path.

Read the writeup →

Databases & Data Services

Stack Overflow in JSONMergePatch Crashes Aiven Managed ClickHouse via Single SELECT Query

April 12, 2026DoS / stack overflow

Single SELECT JSONMergePatch(...) SIGSEGVs the managed instance. Crash payload is storable in shared tables.

Read the writeup →

Databases & Data Services

Sql Query Optimizer Idor

April 8, 2026IDOR

Cross-project access to SQL optimizer artifacts via predictable object IDs.

Read the writeup →

Databases & Data Services

Project Name Enumeration

April 7, 2026Info disclosure

403 vs 404 oracle on /v1/project/<name> enumerates the entire managed-services customer base.

Read the writeup →

Databases & Data Services

Email Enumeration Timing

April 7, 2026Info disclosure

/v1/userauth timing differential distinguishes registered vs unregistered emails.

Read the writeup →