CVE-2025-52969

23.06.2025, 17:15

ClickHouse 25.7.1.557 allows low-privileged users to execute shell commands by querying existing Executable() tables created by higher-privileged users. Although the CREATE TABLE privilege is restricted, there is no access control preventing low-privileged users from invoking Executable tables already present in the system. If an attacker can influence the contents of the script referenced by the Executable() engine through writable paths, they may execute controlled commands in the context of the ClickHouse server, leading to privilege escalation and unauthorized code execution. NOTE: the Supplier's position is that these types of executions by low-privileged users are the expected behavior.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	2.8 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
mitre	CNA	2.8 LOW				CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-420 - Unprotected Alternate Channel
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

References

https://github.com/skraft9/clickhouse-security-research