Which versions of Ghidra are affected by CVE-2026-49498?

Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) contains a SQL injection vulnerability allowing privilege escalation to database superuser, exposing sensitive reverse…. A patch is available.

How to fix or mitigate CVE-2026-49498?

24 hours: Identify all Ghidra instances (versions 11.0 through pre-12.1) with PostgreSQL collaboration backends enabled; audit PostgreSQL logs for suspicious ALTER ROLE commands; no public exploit identified at time of analysis. 7 days: Implement network isolation of PostgreSQL backends from untrusted networks; apply principle-of-least-privilege database account configurations removing superuser access from application service accounts; disable remote PostgreSQL access. 30 days: Deploy real-time alerting on superuser privilege escalation and ALTER ROLE commands; develop upgrade readiness plan for Ghidra 12.1+ (when released); conduct security review of reverse engineering projects stored in collaborative instances.

Ghidra CVE-2026-49498

Q: What is the CVSS score of CVE-2026-49498?

CVE-2026-49498 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-36007 HIGH

SQL Injection (CWE-89)

2026-06-10 VulnCheck

PostgreSQL SQLi

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 10, 2026 - 15:01 EUVD

Analysis Updated

Jun 10, 2026 - 14:38 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 10, 2026 - 14:38 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 10, 2026 - 14:22 vuln.today

cvss_changed

CVSS changed

Jun 10, 2026 - 14:22 NVD

8.8 (HIGH) 8.7 (HIGH)

Analysis Generated

Jun 10, 2026 - 14:02 vuln.today

CVE Published

Jun 10, 2026 - 12:38 nvd

HIGH 8.8

DescriptionNVD

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control.

Articles & Coverage 1

News 3 New PostgreSQL Vulnerabilities - 1 Critical, 2 High Severity Jun 10, 2026

AnalysisAI

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users to escalate to PostgreSQL superuser by injecting crafted username strings into ALTER ROLE statements issued by the changePassword() method. Exploitation requires only low-privileged authenticated access to the Ghidra server, and no public exploit has been identified at time of analysis despite a working proof-of-concept being implied by the detailed vendor advisory from VulnCheck and NSA.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain low-privileged Ghidra credentials

Delivery

Connect to Ghidra server over network

Exploit

Send PasswordChange message with double-quoted username payload

Install

Break out of ALTER ROLE identifier quoting

Execute injected SQL granting SUPERUSER

Execute

Take full control of PostgreSQL backend

Impact

Exfiltrate or tamper with shared project data

Recon

Obtain low-privileged Ghidra credentials

Delivery

Connect to Ghidra server over network

Exploit

Send PasswordChange message with double-quoted username payload

Install

Break out of ALTER ROLE identifier quoting

Execute injected SQL granting SUPERUSER

Execute

Take full control of PostgreSQL backend

Impact

Exfiltrate or tamper with shared project data

Vulnerability AssessmentAI

Exploitation	Requires a Ghidra server deployment configured to use the PostgreSQL-backed PostgresFunctionDatabase for multi-user collaboration (not the default standalone or file-based project mode), running an affected version in the 11.0 through pre-12.1 range. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N, with high impact to confidentiality, integrity, and availability of the vulnerable component) reflects a network-reachable, low-complexity flaw requiring only low-privileged authentication and no user interaction - credible signals for a serious server-side issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a low-privileged Ghidra user account on a shared PostgreSQL-backed Ghidra server sends a crafted PasswordChange network message containing double quotes and appended SQL inside the username field. The malicious payload escapes the ALTER ROLE identifier context and executes attacker-chosen SQL - for example granting their own role SUPERUSER - yielding full control over the PostgreSQL instance backing the team's reverse-engineering projects, including the ability to exfiltrate or tamper with all shared analysis data.
Remediation	Vendor-released patch: upgrade Ghidra to version 12.1 or later, which fixes the username escaping in the PostgresFunctionDatabase changePassword() routine; release artifacts and details are linked from the GHSA advisory at https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-vv7r-2rhf-5h7g and the VulnCheck advisory at https://www.vulncheck.com/advisories/ghidra-sql-injection-in-postgresql-password-change-via-unescaped-username. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Ghidra instances (versions 11.0 through pre-12.1) with PostgreSQL collaboration backends enabled; audit PostgreSQL logs for suspicious ALTER ROLE commands; no public exploit identified at time of analysis. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49948 HIGH This Week POC

8.6 Jun 09

Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed

CVE-2026-20253 CRITICAL Act Now

9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-52758 HIGH This Week

8.7 Jun 10

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers

CVE-2026-11400 HIGH This Week

8.6 Jun 05

Privilege escalation in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL (versions prior to 4.0.1) allows a re

CVE-2026-49498 vulnerability details – vuln.today

Back