CVE-2026-25212
Received Received - Intake
Privilege Escalation in Percona PMM Allows OS Command Execution

Publication date: 2026-04-02

Last updated on: 2026-04-21

Assigner: MITRE

Description
An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25212
EUVD
EUVD-2026-18364
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
percona monitoring_and_management to 3.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Percona PMM before version 3.7 allows an attacker with pmm-admin rights to execute arbitrary shell commands on the underlying operating system, which can lead to a complete compromise of the system.

Such a security flaw poses a significant risk to the confidentiality, integrity, and availability of data managed by the system, potentially leading to violations of common compliance standards and regulations such as GDPR and HIPAA that require strict controls over data access and system security.

By enabling remote code execution, this vulnerability could allow unauthorized access to sensitive personal or health information, thereby undermining compliance with data protection requirements.

Impact Analysis

This vulnerability can have serious impacts as it allows an attacker with pmm-admin rights to execute arbitrary shell commands on the underlying operating system. This could lead to full system compromise, unauthorized data access, data manipulation, or disruption of services.

Because the attacker can break out of the database context, they can potentially gain control beyond the database itself, affecting the entire host system where PMM is running.

Executive Summary

CVE-2026-25212 is a security vulnerability found in Percona Monitoring and Management (PMM) versions before 3.7. It occurs because an internal database user retains specific superuser privileges. This allows an attacker who has pmm-admin rights to misuse the "Add data source" feature to escape the database context and execute shell commands on the underlying operating system.

This vulnerability is classified as an authenticated remote code execution (RCE) issue, meaning an attacker with valid credentials can run arbitrary code remotely on the affected system.

Mitigation Strategies

To mitigate the CVE-2026-25212 vulnerability, you should upgrade Percona Monitoring and Management (PMM) to version 3.7.0 or later, as this release addresses the authenticated remote code execution vulnerability.

Ensure that only trusted users have pmm-admin rights, since the vulnerability allows an attacker with these rights to execute shell commands on the underlying operating system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart