CVE-2026-6475

Published May 14, 2026

Last updated 7 days ago

CVSS high 8.8

Overview

Description
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Source
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD status
Analyzed
Products
postgresql

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
CWE-61

Social media

Hype score
Not currently trending

  1. ⚠️ Vulnerabilidades en productos PostgreSQL ❗ CVE-2026-6477 ❗ CVE-2026-6475 ❗ CVE-2026-6473 ➡️ Más info: https://t.co/Xbbj9chZqz https://t.co/yHbC0kfr1p

    @CERTpy

    21 May 2026

    110 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.CVE-2026-6477
  2. Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.CVE-2026-6478
  3. Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.CVE-2026-6575
  4. SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.CVE-2026-6476
  5. Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.CVE-2026-6479

References

Sources include official advisories and independent security research.