Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Info disclosure

Aiven Internal System Account Password Hashes Exposed to Customer Users via mysql.user SELECT on Aiven Managed MySQL

Zion Boggan · April 15, 2026 · coordinated disclosure

Summary

On Aiven’s managed MySQL service, the default avnadmin user has unrestricted SELECT access to the mysql.user system table, which exposes the caching_sha2_password password hashes for ALL system accounts, including Aiven’s internal root user, the repluser replication account, and the metrics_user_datadog and metrics_user_telegraf monitoring accounts.

The root account (root@fda7:a938:5bfe:5fa6:%) has full SUPER, FILE, SHUTDOWN, and all administrative privileges, and is accessible from any host within Aiven’s internal IPv6 ULA prefix. Any customer who can crack the root password hash and access the internal network (e.g., via a cross-service SSRF from another compromised Aiven service) gains full MySQL root access with capabilities far exceeding what avnadmin is intended to have, including FILE (arbitrary file read/write), SUPER (bypass all restrictions), and SHUTDOWN.

Aiven demonstrates clear intent to restrict avnadmin‘s access to the mysql system schema by explicitly revoking INSERT, UPDATE, DELETE, CREATE, DROP, and other write privileges on mysql.*. However, SELECT was not revoked, exposing all credential data.

Affected Target

  • Service: Aiven for MySQL (Tier 2)
  • Version tested: MySQL 8.0.45
  • Instance: :12741

Severity

P2, Sensitive Data Exposure

VRT: Server Security Misconfiguration > Database Management System (DBMS) Misconfiguration > Excessively Privileged User / DBA

CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, Score: 7.7 (High)

  • C:H, Complete credential exposure of all system accounts including root
  • S:C, Scope changed: customer credentials expose Aiven’s internal infrastructure accounts

Steps to Reproduce

One-command credential dump

SELECT user, host, plugin, authentication_string, Super_priv, 
 Grant_priv, password_expired, account_locked 
FROM mysql.user;

Actual output on Aiven (redacted hashes truncated):

+----------------------------+-------------------------------+---------------------------+--------------------------------------------------+
| user | host | plugin | authentication_string (truncated) |
+----------------------------+-------------------------------+---------------------------+--------------------------------------------------+
| avnadmin | % | caching_sha2_password | $A$005$<hash> |
| repluser | % | caching_sha2_password | $A$005$<hash> |
| metrics_user_datadog | ::1 | caching_sha2_password | $A$005$<hash> |
| metrics_user_telegraf | ::1 | caching_sha2_password | $A$005$<hash> |
| root | fda7:a938:5bfe:5fa6:% | caching_sha2_password | $A$005$<hash> (Super=Y, Grant=Y, locked=N) |
| mysql.infoschema | localhost | caching_sha2_password | THISISACOMBINATIONOFINVALID... |
| mysql.session | localhost | caching_sha2_password | THISISACOMBINATIONOFINVALID... |
| mysql.sys | localhost | caching_sha2_password | THISISACOMBINATIONOFINVALID... |
+----------------------------+-------------------------------+---------------------------+--------------------------------------------------+

Key exposed accounts:

Account Host Restriction Privileges Risk
root fda7:a938:5bfe:5fa6:% ALL + SUPER + FILE + SHUTDOWN Full server control from internal network
repluser % (any host) REPLICATION SLAVE + SERVICE_CONNECTION_ADMIN Binary log streaming from anywhere
metrics_user_datadog ::1 (localhost) Monitoring access Internal monitoring disruption
metrics_user_telegraf ::1 (localhost) Monitoring access Internal monitoring disruption

Impact

1. Internal Root Account Credential Exposure

The root@fda7:a938:5bfe:5fa6:% user has ALL privileges including SUPER, FILE, and SHUTDOWN. Its password hash is fully exposed. The host restriction uses Aiven’s internal IPv6 ULA prefix (fda7:a938:5bfe:5fa6::/80), which is shared across Aiven services in the same region.

An attacker who cracks the root hash can escalate to full MySQL root from any other Aiven service on the internal network, gaining capabilities that avnadmin intentionally lacks: - FILE privilege: Read/write arbitrary files on the MySQL host - SUPER privilege: Bypass all access restrictions, change global variables, kill any process - SHUTDOWN privilege: Stop the MySQL server - SYSTEM_VARIABLES_ADMIN: Enable local_infile, change secure_file_priv, modify logging

2. Replication Account Exposure

The repluser@% account has REPLICATION SLAVE privilege with no host restriction. If its password is cracked, an attacker can connect from any IP and stream the entire binary log, exfiltrating ALL data changes including INSERTs with sensitive values (passwords, tokens, PII).

3. Cross-Service Escalation Path

The internal IPv6 prefix fda7:a938:5bfe:5fa6::/80 is the same prefix discovered via PostgreSQL SSRF (documented in separate submission). This creates a cross-service attack chain:

Customer MySQL (avnadmin) → SELECT mysql.user → root password hash
 → Crack hash offline
Customer PG (SSRF via dblink) → Connect to MySQL internal IPv6
 → Authenticate as root with cracked password 
 → Full MySQL root: FILE, SUPER, SHUTDOWN

4. Additional Information Disclosure

The admin_address global variable reveals the MySQL admin interface binding: fda7:a938:5bfe:5fa6:0:5a9:6ce7:66e1. Combined with the root hash, this pinpoints the exact target for internal privilege escalation.

Binary logs are also readable via SHOW BINLOG EVENTS, exposing all DDL/DML history including CREATE USER statements with IDENTIFIED BY clauses.

Root Cause

Aiven’s privilege model for avnadmin explicitly revokes write operations on the mysql schema:

REVOKE INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, 
 CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, 
 CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER 
ON "mysql".* FROM "avnadmin"@"%"

This demonstrates Aiven’s intent to restrict access to system tables. However, SELECT was not included in the revocation, allowing full read access to mysql.user and all system tables containing credentials and configuration.

Recommended Fix

  1. Immediate: Revoke SELECT on mysql.user for avnadmin: sql REVOKE SELECT ON mysql.user FROM 'avnadmin'@'%'; Or more broadly: sql REVOKE SELECT ON mysql.* FROM 'avnadmin'@'%'; GRANT SELECT ON mysql.func TO 'avnadmin'@'%'; -- if needed for UDF listing

  2. Defense in depth: Restrict the root user’s host to a narrower range than the entire /80 prefix, or disable the root account entirely and manage via a separate orchestration channel.

  3. Rotate credentials: The exposed hashes for root, repluser, and monitoring accounts should be rotated, as they may have already been read by other researchers or attackers.

Source · github.com/zionsworking/security-research-notebook · writeups/aiven/mysql-credential-exposure.md