CVE-2026-25212
Published: 02 April 2026
Summary
CVE-2026-25212 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Percona Monitoring And Management. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-6 enforces least privilege, directly mitigating the excessive superuser privileges held by the internal database user that allow pmm-admin attackers to execute OS shell commands via the Add data source feature.
SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this vulnerability through upgrades to Percona PMM 3.7 or later.
AC-3 mandates enforcement mechanisms for approved authorizations, preventing pmm-admin users from breaking out of the database context to execute arbitrary shell commands on the OS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authenticated RCE arises from exploiting the Add data source feature in the network-accessible PMM application (T1190), directly resulting in arbitrary Unix shell command execution on the host (T1059.004) and privilege escalation from pmm-admin to full OS control due to unnecessary DB superuser privileges (T1068).
NVD Description
An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell…
more
commands on the underlying operating system.
Deeper analysisAI
CVE-2026-25212 is a critical vulnerability affecting Percona Monitoring and Management (PMM) versions prior to 3.7. The flaw stems from an internal database user retaining specific superuser privileges, which enables an attacker with pmm-admin rights to exploit the "Add data source" feature. This allows breakout from the database context to execute arbitrary shell commands on the underlying operating system. The issue is classified under CWE-250 (Execution with Unnecessary Privileges) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker requires only low-privilege pmm-admin access to exploit this vulnerability remotely over the network with no user interaction needed. Successful exploitation grants full remote code execution on the host OS, providing complete confidentiality, integrity, and availability impact due to the scope change from changed components.
Percona addressed this vulnerability in PMM 3.7.0, as detailed in the official release notes, which describe it as an authenticated remote code execution issue via internal data source. Security practitioners should upgrade to PMM 3.7.0 or later to mitigate the risk, per the advisory at https://docs.percona.com/percona-monitoring-and-management/3/release-notes/3.7.0.html#authenticated-remote-code-execution-via-internal-data-source-cve-2026-25212. Additional information is available on Percona's site at https://percona.com.
Details
- CWE(s)