pghoard CVE-2026-54711
LOWSeverity by source
Local vector because log file read access is the exploitation path; PR:L since reading logs requires at least unprivileged OS access; C:H for full credential disclosure; no integrity or availability impact.
Lifecycle Timeline
2DescriptionCVE.org
Impact
When using .pgpass, database connection information including the username and password will be logged at the debug level.
Patches
Upgrade to version 2.7.1 or greater.
Workarounds
Filter out debug-level logs.
References
This issue was discovered by BugCrowd user DRAKOKORIAN.
AnalysisAI
Credential exposure in pghoard (Aiven's PostgreSQL backup tool) causes database usernames and passwords sourced from .pgpass files to be written in plaintext to debug-level logs. Versions up to and including 2.1.0 are affected per CPE data, though the vendor advisory specifies the fix lands in 2.7.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two specific conditions must both be true for exploitation: (1) pghoard must be configured to use a .pgpass file for PostgreSQL authentication - this is not the only supported auth method, so deployments using environment variables or other credential injection methods are not affected; (2) debug-level logging must be active in the pghoard process, which is a non-default verbosity level typically enabled deliberately or via misconfiguration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector was provided by the vendor or NVD, requiring independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with read access to the host filesystem or a shared centralized log aggregation platform (e.g., a misconfigured ELK stack or a cloud logging service with overly broad IAM permissions) searches debug log output from a pghoard instance. They extract the plaintext PostgreSQL username and password logged during backup operations and use them to authenticate directly to the target database, bypassing the backup service entirely. |
| Remediation | Upgrade pghoard to version 2.7.1 or greater as specified in the vendor security advisory at https://github.com/Aiven-Open/pghoard/security/advisories/GHSA-mpx4-jmpr-vm8v. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mpx4-jmpr-vm8v