Security Advisory: CVE Affecting Percona Monitoring and Management (PMM)

A critical security vulnerability has been identified in the following software that Percona has made available: PMM Open Virtual Appliance (OVA) installations, version 2.38 and above. This vulnerability does not extend to Docker or Amazon Machine Images (AMIs). The Common Vulnerabilities and Exposures (CVE) identifier for this issue is CVE-2025-26701.

Immediate actions required

• UPGRADE IMMEDIATELY to PMM 2.44.0-1 or PMM 3.0.0-1 (strongly recommended).

  • Download PMM 2.44.0-1 (file will start downloading)
  • Download PMM 3.0.0-1 (file will start downloading)

• CHANGE ALL CREDENTIALS for monitored and connected services.
• REVIEW SYSTEM AND AUTHENTICATION LOGS for potential unauthorized access.

Vulnerability details

This vulnerability stems from default service account credentials in OVA provisioning that enables:

• Unauthorized SSH access
• Privilege escalation to root via sudo capabilities
• Potential exposure of service credentials and configurations

Links to more information and upgrade instructions can be found in Percona Documentation:  

PMM 2.44.0-1: View the release notes

PMM 3.0.0-1: View the release notes