Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE
13 comments
·December 17, 2025anothercat
nightpool
It looks like the entire class of bugs here are "if you have access to Posthog's admin dashboard, you can configure webhook URLs that hit Posthog's internal services". That's not particularly surprising for a self-hosted system like the author's, but I expect it would pretty bad if you were using their cloud-hosted product.
null
lkt
Out of interest, how much does ZDI pay for a bug like this?
thenaturalist
Wow, chapeau to the author.
What an elegant, interesting read.
What I don't quite understand: Why is the Clickhouse bug not given more scrutiny?
Like that escape bug was what made the RCE possible and certainly a core DB company like ClickHouse should be held accountable for such an oversight?
matmuls
ssrf was the entry point, and clickhouse is supposed to be an internal only service, but one could reach it only with that ssrf, so hence less of "scrutiny". The 0day by itself wouldnt be useful, unless an attacker can reach clickhouse, which they usually can't.
thenaturalist
But if they do, prohibiting SQL injection, a critical last mile vulnerability, seems trivial?
nightpool
The author already had basically full Clickhouse querying abilities, and Clickhouse lets you run arbitrary SQL on postgres, the fact that the author used a read-only command to execute it wasn't the author bypassing a security boundary (anyone with access to the Clickhouse DB also had access to the Postgres DB), it was just a gadget that made the SSRF more convenient. They could have escalated it into a different internal HTTP API instead.
taw_1265
PostHog does a lot of vibe coding, I wonder how many other issues they have.
Nextgrid
Not that I’m disproving it but do you have a source? Companies say all kinds of things for hype and to attract investors, but it doesn’t necessarily make it true.
matmuls
looking at their commits, there are about 300+ commits tagged with " Generated with https://claude.com/claude-code" attribution.
dewey
Just because AI tools are involved doesn't mean it's "Vibe coding".
Does this require authenticated access to the posthog api to kick off? In that case I feel clickhouse and posthog both have their share of the blame here.