Prevent HTTP endpoints from exposing the exact server version to unauthenticated users.

[filimonov]

Changelog category (leave one):

• Improvement

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Avoid exposing the ClickHouse server version in HTTP error responses returned before authentication.

Documentation entry for user-facing changes

To reduce unnecessary information exposure, unauthenticated HTTP error responses no longer show the exact ClickHouse server version, which could otherwise give attackers helpful details about the system.

[clickhouse-gh]

Workflow [PR], commit [a21ca6a]

Summary: ❌

job_name	test_name	status	info	comment
Stateless tests (arm_asan, targeted)		failure
	00379_system_processes_port	FAIL	cidb
	00379_system_processes_port	FAIL	cidb
	00379_system_processes_port	FAIL	cidb
Integration tests (amd_tsan, 2/6)		failure
	test_storage_s3_queue/test_parallel_inserts.py::test_parallel_inserts_with_failures[1]	FAIL	cidb, issue
AST fuzzer (amd_tsan)		failure
	Logical error: 'Expected the argument №1 ('round(__table3.y, __table1.materialize(toNullable(x)))' of type UInt8) to have 1 rows, but it has 0'	FAIL	cidb
BuzzHouse (amd_debug)		failure
	Logical error: 'Inconsistent AST formatting: the query:	FAIL	cidb, issue
BuzzHouse (amd_ubsan)		failure
	Logical error: 'negate's argument does not match the expected data type'	FAIL	cidb
Performance Comparison (amd_release, master_head, 1/6)		failure
	Check Results	failure
Performance Comparison (amd_release, master_head, 2/6)		failure
	Check Results	failure
Performance Comparison (amd_release, master_head, 4/6)		failure
	Check Results	failure
Integration tests (amd_asan, db disk, old analyzer, 3/6)		error

[filimonov]

Failures seems unrelated.

[alexey-milovidov]

@filimonov, please provide the context about this improvement. Who requested that, and what is the actual reasoning?

[filimonov]

please provide the context about this improvement. Who requested that, and what is the actual reasoning?

Pen testers report (the lowest priority, but guys still want it to be fixed) in financial/security company (can't disclosure company name due to NDA).

The report itself:

Finding 1 - Improper Error Handling

Summary

Uncaught server exceptions occur when providing parameter values that the server or servlet does
not understand.

Impact

Physical paths, versioning information, stack traces' content, and other data can be gathered and
used to help further an attack when improper error handling is present.
Applications should always fail safe in their designs. If an application fails to an unknown state, it is
likely that an attacker may be able to exploit this indeterminate state to access unauthorized
functionality, or worse, create, modify or destroy data. Error messages may also aid in the
identification of other attacks such as buffer overflows and SQL injection, and can generally
contribute to an overall weaker security posture.

Details

Affected API Endpoints:
[POST] /

The server returns verbose error messaging that discloses the back-end service, its specific version
number, and sensitive configuration details, as illustrated below.
The HTTP request and response below illustrate that when accessing the API without
authentication, the error message reveals the ClickHouse Database service and its version, and also
discloses the absolute file paths to the configuration files.

HTTP Request:

POST / HTTP/1.1
Host: <Hostname>
Content-Length: 14
SHOW DATABASES

HTTP Response:

HTTP/1.1 401 Unauthorized

X-ClickHouse-Summary:	{"read_rows":"0","read_bytes":"0","written_rows":"0","written_bytes":"0","total_rows_to_read":"0","result_rows":"0","result_bytes":"0","elapsed_ns":"38307"}
Date: Wed, 01 Oct 2025 18:22:10 GMT
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8
Access-Control-Expose-Headers: X-ClickHouse-Query-Id,X-ClickHouse-Summary,XClickHouse-Server-Display-Name,X-ClickHouse-Format,X-ClickHouse-Timezone,X-ClickHouse-Exception-Code
X-ClickHouse-Exception-Code: 194
WWW-Authenticate: Basic realm="ClickHouse server HTTP API"
Keep-Alive: timeout=30, max=9999
Content-Length: 653

Code: 194. DB::Exception: default: Authentication failed: password is incorrect, or	there is no user with such name.
If you use ClickHouse Cloud, the password can be reset at https://clickhouse.cloud/ 
on the settings page for the corresponding service.

If you have installed ClickHouse and forgot password you can reset it in the
configuration file.

The password for default user is typically located at /etc/clickhouse-server/users.d/default-password.xml
and deleting this file will reset the password.

See also /etc/clickhouse-server/users.xml on the server where ClickHouse is installed.

. (REQUIRED_PASSWORD) (version 25.7.4.11 (official build))

The HTTP request and response below illustrate that when a non-admin user attempts an action
without sufficient privileges, the error message reveals the database service version details and the
exact granular permissions required to execute the query.

Also for the record - my answer in internal ticketing system

Finding 1 – “Improper Error Handling”

We acknowledge the described behavior but do not consider it a significant security issue. The ClickHouse HTTP interface is designed for use within secure environments and by client libraries, not as a public-facing endpoint. When deployed as intended, no untrusted parties have access to these error responses.

Paths in error messages – The text shown does not expose any actual file system paths or configuration details. It is a static, generic message identical across all installations (see ClickHouse source reference).

Version exposure – The ClickHouse version is included in error messages. This is a known behavior. We do not consider it an issue for authenticated users and regard it as the minor when shown to unauthenticated users. We recommend running only supported versions without known vulnerabilities and avoiding exposing ClickHouse to untrusted networks. We will consider adding an feature to limit exception details for unauthenticated users.
Note: The version tested (25.7.4) is outdated and no longer supported

[filimonov]

CI/CD failures - all look unrelated:

• Stateless tests (arm_asan, targeted)
  • Fix: fix Address already in use for 00379_system_processes_port test #91837
• Stateless tests (amd_msan, parallel)
  • timeout in 03096_order_by_system_tables (retry ok)
• Stateless tests (arm_binary, parallel)
  • 03746_system_background_schedule_pool_log - fixed in tests: fix 03746_system_background_schedule_pool_log flakiness #91289
• BuzzHouse (amd_debug)
  • Inconsistent AST formatting on some insane query - probably parenthesis around left part of EXCEPT. Reported earlier: Inconsistent AST formatting of INSERT SELECT EXCEPT/INTERSECT #90925 Inconsistent AST formatting with EXCEPT #83768
• CH Inc sync - you guys need to check.