diff --git a/reddwarf/extensions/mysql/common.py b/reddwarf/extensions/mysql/common.py
index b4059ffec3..e3b2811be2 100644
--- a/reddwarf/extensions/mysql/common.py
+++ b/reddwarf/extensions/mysql/common.py
@@ -32,7 +32,11 @@ def populate_databases(dbs):
             databases.append(mydb.serialize())
         return databases
     except ValueError as ve:
-        raise exception.BadRequest(str(ve))
+        # str(ve) contains user input and may include '%' which can cause a
+        # format str vulnerability. Escape the '%' to avoid this. This is
+        # okay to do since we're not using dict args here in any case.
+        safe_string = str(ve).replace('%', '%%')
+        raise exception.BadRequest(safe_string)
 
 
 def populate_users(users):