A detailed security research writeup documenting a critical RCE vulnerability chain in PostHog's self-hosted analytics platform. The exploit combines multiple vulnerabilities: SSRF through webhook validation bypass, a zero-day SQL escaping flaw in ClickHouse's PostgreSQL table function, and default credentials. The chain allows
Table of contents
Act 1 – Installation and Understanding the High-Level ArchitectureAct 2 – Multiple Server-Side Request Forgery“Bypass” of CVE-2023-46746 | Analysis of PostHog Rust Webhook Handler Server-Side Request ForgeryTriggering the Action: Rust Webhook WorkerRust Webhook Worker – Understading our SSRF PrimitiveAct 3 – Clickhouse SQL injection in postgresql and sqlite table functions 0-dayClickhouse Table FunctionsWrong PostgreSQL escaping leading to Remote PostgreSQL Injection VulnerabilityEscalating SQL Injection to the Remote Code ExecutionAct 4 – Chaining them all togetherZero Day Initiative (ZDI)Sort: