Which versions of postgrex are affected by CVE-2026-32687?

Elixir postgrex library versions 0.16.0-0.22.1 contain a SQL injection vulnerability in the Notifications module that allows local attackers to execute arbitrary database commands, including table…. A patch is available.

postgrex CVE-2026-32687

Q: What is the CVSS score of CVE-2026-32687?

CVE-2026-32687 has a CVSS 4.0 base score of 7.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-29477 HIGH

SQL Injection (CWE-89)

2026-05-12 EEF

GHSA-r73h-97w8-m54h

SQLi PostgreSQL

7.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 12, 2026 - 15:31 vuln.today

Analysis Generated

May 12, 2026 - 15:31 vuln.today

CVSS changed

May 12, 2026 - 15:22 NVD

7.5 (HIGH)

CVE Published

May 12, 2026 - 14:18 nvd

HIGH 7.5

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.

The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.

This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1.

This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.

AnalysisAI

SQL injection in the Elixir postgrex library allows local attackers with control over PostgreSQL LISTEN/UNLISTEN channel names to execute arbitrary SQL commands including DDL and DML operations. The Postgrex.Notifications module (versions 0.16.0 through 0.22.1) fails to escape double-quote characters in channel arguments, enabling attackers to break out of quoted identifiers and chain multi-statement payloads such as DROP TABLE commands. …

RemediationAI

Within 24 hours: Inventory all applications and services using postgrex library and identify currently deployed versions. Within 7 days: Upgrade postgrex to version 0.22.2 or later across all development, staging, and production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32687 vulnerability details – vuln.today

Back

postgrex CVE-2026-32687

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

postgrex CVE-2026-32687

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code