Skip to main content

pghoard CVE-2026-54711

LOW
Insertion of Sensitive Information into Log File (CWE-532)
2026-06-18 https://github.com/Aiven-Open/pghoard GHSA-mpx4-jmpr-vm8v

Severity by source

vuln.today AI
5.5 MEDIUM

Local vector because log file read access is the exploitation path; PR:L since reading logs requires at least unprivileged OS access; C:H for full credential disclosure; no integrity or availability impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 16:03 vuln.today
Analysis Generated
Jun 18, 2026 - 16:03 vuln.today

DescriptionCVE.org

Impact

When using .pgpass, database connection information including the username and password will be logged at the debug level.

Patches

Upgrade to version 2.7.1 or greater.

Workarounds

Filter out debug-level logs.

References

This issue was discovered by BugCrowd user DRAKOKORIAN.

AnalysisAI

Credential exposure in pghoard (Aiven's PostgreSQL backup tool) causes database usernames and passwords sourced from .pgpass files to be written in plaintext to debug-level logs. Versions up to and including 2.1.0 are affected per CPE data, though the vendor advisory specifies the fix lands in 2.7.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enable or find active debug logging on pghoard host
Delivery
Read debug log files or log aggregation output
Exploit
Extract .pgpass credentials logged in plaintext
Execution
Authenticate to PostgreSQL database with harvested credentials
Impact
Access or exfiltrate database contents

Vulnerability AssessmentAI

Exploitation Two specific conditions must both be true for exploitation: (1) pghoard must be configured to use a .pgpass file for PostgreSQL authentication - this is not the only supported auth method, so deployments using environment variables or other credential injection methods are not affected; (2) debug-level logging must be active in the pghoard process, which is a non-default verbosity level typically enabled deliberately or via misconfiguration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided by the vendor or NVD, requiring independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with read access to the host filesystem or a shared centralized log aggregation platform (e.g., a misconfigured ELK stack or a cloud logging service with overly broad IAM permissions) searches debug log output from a pghoard instance. They extract the plaintext PostgreSQL username and password logged during backup operations and use them to authenticate directly to the target database, bypassing the backup service entirely.
Remediation Upgrade pghoard to version 2.7.1 or greater as specified in the vendor security advisory at https://github.com/Aiven-Open/pghoard/security/advisories/GHSA-mpx4-jmpr-vm8v. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy