What it is
Every modern LLM observability stack writes its traces, metrics, and call-history into a columnar OLAP backend. ClickHouse is dominant: it’s the storage tier under SigNoz, Phoenix-on-OTLP, PostHog product analytics, Plausible, and many custom in-house observability platforms. Cassandra, ScyllaDB, and Apache Pinot fill adjacent niches. When the upstream observability tool is itself unauthenticated, the OLAP backend is also typically reachable on the same host, often on its own default port.
What goes wrong
ClickHouse’s official Docker image creates a default user with no password. The operator must set CLICKHOUSE_USER and CLICKHOUSE_PASSWORD at container start, or modify users.xml. At population scale, ~18% of reachable ClickHouse instances skip this step. The exposure surface is the operator’s entire app schema: database names disclose what the operator stores (signoz_traces, posthog, plausible_events_db, custom vllm_service, ai_hedge_fund, scentedai_fragid_new). LLM call traces, with full prompt and response bodies, often land here.
How we test
We send GET /ping to confirm a ClickHouse server, then GET /?query=SELECT+version() (read-only sanity check) and GET /?query=SHOW+DATABASES+FORMAT+JSON for the database list. Database and table names are the finding; we never SELECT * FROM any user table. For Cassandra/Scylla, the TCP banner on port 9042 confirms identity. The classification is intel-disclosure-tier, not RCE-tier. For observability backends, the disclosed information is exactly the LLM call history the operator is trying to keep private.