Primary

Context

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability

Vulnerability

Patched

A SQL injection vulnerability allowing remote code execution has been identified in PostHog installations that use ClickHouse table functions. This issue arises from improper validation of user-supplied strings in the SQL parser, enabling authenticated, network-adjacent attackers to execute arbitrary code within the context of the database account.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, executed with the privileges of the database account.

Remediation

PostHog has released a patch for this vulnerability. Users should update to the latest version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

4.5

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

4.5

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

PostHog

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating