Nobody Gets to Be Superuser (Until I Broke In)

October 20–23
Level: Beginner

Managed PostgreSQL services give each customer an apparently isolated database instance, and work hard to guarantee one thing: the customer never becomes a superuser on it. This talk examines why that boundary matters and how similarly it fails across the industry.

In this talk, I will discuss months of research and how I found ways to escalate privileges to superuser on nearly every managed Postgres provider. The bug differs each time, which could be a logical vulnerability in the privilege-relaxation extension, or cloud-native underlying software mistakes affecting vendors, memory corruption bugs on extensions that everybody installs and so on. What stays the same is the set of root causes behind them.

Whether you are a DBA, developer building on a managed provider, or are simply curious to see from a hacker's perspective, you are welcome at this session. You will leave this talk with a knowledge of recurring root causes, a clear threat model, and a practical hardening checklist.

Back

Join Us For PostgreSQL Conference Europe 2026

October 20–23 2026

Palacio de Congresos, Valencia, Spain