The avnadmin user on Aiven managed MySQL has unrestricted SELECT on mysql.user, exposing caching_sha2_password hashes for the internal root, replication, and monitoring accounts.
On Aiven's managed MySQL service, the default avnadmin user has unrestricted SELECT access to the mysql.user system table. This exposes caching_sha2_password hashes for all system accounts: the internal root user, the repluser replication account, and the metrics_user_datadog and metrics_user_telegraf monitoring accounts. Aiven explicitly revokes write operations on mysql.* (INSERT, UPDATE, DELETE, CREATE, DROP, and others), demonstrating clear intent to restrict access to system tables. The SELECT privilege was not included in the revocation.
The most serious exposure is the root@fda7:a938:5bfe:5fa6:% account. It holds ALL privileges including SUPER, FILE, SHUTDOWN, and SYSTEM_VARIABLES_ADMIN, with a host restriction to Aiven's internal IPv6 ULA prefix, which is shared across Aiven services in the same region. An attacker who cracks the root password hash and reaches the internal network (for example, via SSRF from another Aiven service) gains full MySQL root access, including:
- FILE: read/write arbitrary files on the MySQL host
- SUPER: bypass all access restrictions, kill processes, change global variables
- SHUTDOWN: stop the MySQL server
- SYSTEM_VARIABLES_ADMIN: enable local_infile, change secure_file_priv, modify logging
The repluser@% account has REPLICATION SLAVE privilege with no host restriction. Cracking its hash allows an attacker from any IP to stream the entire binary log, exfiltrating all data changes including INSERT statements with sensitive values.
Binary logs are also readable via SHOW BINLOG EVENTS to avnadmin, potentially exposing historical CREATE USER ... IDENTIFIED BY statements with plaintext passwords.
Aiven's privilege grant for avnadmin explicitly revokes:
REVOKE INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER,
CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW,
CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER
ON "mysql".* FROM "avnadmin"@"%"
The SELECT privilege was not included in the revocation, leaving avnadmin able to read every row in mysql.user, mysql.db, and all other grant tables. A single SELECT user, host, authentication_string, Super_priv FROM mysql.user returns all system account hashes.
The query below retrieves all system account password hashes. Actual hash values have been replaced with <HASH>. All instance identifiers have been removed.
Reported to Aiven through their bug bounty program. Aiven triaged this as P2 (High). Recommended fixes:
mysql.user for avnadmin:REVOKE SELECT ON mysql.user FROM 'avnadmin'@'%';
Or more broadly revoke all access and selectively re-grant only what the customer user legitimately needs (such as UDF listing via mysql.func).
Restrict the root user's host to a narrower range or disable the root account and manage via a separate internal orchestration channel.
Rotate credentials for the exposed accounts, as the hashes were queryable by any avnadmin user and may have been read prior to the fix.