A SECURITY DEFINER function in aiven_extras opens a superuser database connection to localhost using trust authentication, reachable by any avnadmin user and from within logical replication apply worker triggers.
aiven_extras.pg_alter_subscription_refresh_publication() is a SECURITY DEFINER function owned by postgres. It constructs a dblink connection string using current_user, which resolves to postgres inside the SECDEF context, then connects to localhost via UNIX socket. The UNIX socket uses trust authentication for the postgres superuser, and dblink passes its own superuser() check because the effective user is postgres. The result is a full superuser database session to localhost that any authenticated avnadmin user can trigger. The same SECDEF call succeeds from within a logical replication apply worker trigger, demonstrating that the superuser dblink path is reachable from customer code executing inside the platform's own replication machinery.
The SECDEF dblink chain creates a customer-reachable pathway to a postgres superuser database connection. The queries executed through this session are currently fixed (ALTER SUBSCRIPTION REFRESH PUBLICATION), which limits immediate damage. The risk is in the security boundary: a superuser database connection to the managed PostgreSQL instance is reachable from customer-controlled code, bypassing the intended isolation between customer operations and the platform's internal management layer. Any future change to the aiven_extras code that introduces a parameter in this path would immediately yield arbitrary superuser SQL execution. The connection is also composable with the subscription ownership escalation issue (separate report) and the autovacuum chain.
The function builds its connection string at runtime using current_user, which in a SECURITY DEFINER context resolves to the function owner, not the calling user:
PERFORM aiven_extras.dblink_record_execute(
pg_catalog.format('user=%L dbname=%L port=%L',
current_user, -- resolves to 'postgres' (SECDEF owner)
pg_catalog.current_database(),
(SELECT setting FROM pg_catalog.pg_settings WHERE name = 'port')),
...);
No host parameter is included, so libpq connects via UNIX socket. UNIX socket connections for the postgres user use trust or peer authentication on the managed instance, so no password is required. dblink's internal superuser() check passes because the SECDEF elevated the effective user to postgres.
A direct call to dblink_record_execute('user=postgres dbname=defaultdb port=<PORT>', ...) as avnadmin returns password or GSSAPI delegated credentials required, confirming that the protection exists but is bypassed by the SECDEF elevation.
The steps below demonstrate the superuser dblink session from both a direct call and from within an apply worker trigger. All credentials and instance identifiers have been replaced with placeholders.
Reported to Aiven through their bug bounty program. Aiven triaged this as P3 (Medium). The recommended fix is to capture the calling user before the SECDEF elevation and use that identity for the dblink connection:
DECLARE l_caller TEXT := session_user;
-- use l_caller instead of current_user in format()
Alternatively, the function can connect as avnadmin (the calling user) rather than postgres, eliminating the superuser dblink session. As defense in depth, the pg_hba.conf local entry for the postgres user should require certificate or password authentication rather than trust or peer, preventing passwordless superuser UNIX socket connections from any path.
-- Cleanup
SELECT aiven_extras.pg_alter_subscription_disable('sub1');
SELECT aiven_extras.pg_drop_subscription('sub1', true);
DROP TABLE pub_table CASCADE;
DROP TABLE loot;