Detections
Analytics

PostgREST API Server Detected

high Web App Scanning Plugin ID 115087

Language:

Synopsis

PostgREST API Server Detected

Description

PostgREST is a standalone web server that turns your PostgreSQL database directly into a RESTful API. By default, PostgREST does not implement any authentication or access control mechanisms, which can lead to unauthorized access to sensitive data if the server is exposed to untrusted networks without proper safeguards in place.

An attacker who discovers an exposed PostgREST server could potentially retrieve, modify, or delete data from the underlying PostgreSQL database, depending on the database permissions configured for the PostgREST user. This could lead to data breaches, data loss, or unauthorized data manipulation.

Solution

Restrict access using a .htaccess file, limiting access to known IP Addresses.

See Also

https://github.com/PostgREST/postgrest

Plugin Details

Severity: High

ID: 115087

Type: remote

Published: 1/5/2026

Updated: 1/5/2026

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information