What is the CVSS score of CVE-2026-6473?

CVE-2026-6473 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PostgreSQL are affected by CVE-2026-6473?

PostgreSQL versions 14.x through 18.x contain a remote code execution vulnerability (CVSS 8.8) that allows authenticated database users to execute arbitrary commands with database service privileges…. A patch is available.

How to fix or mitigate CVE-2026-6473?

Within 24 hours: Inventory all PostgreSQL instances (versions 14.x-18.x) and document current versions and access controls. Restrict database user accounts to minimum necessary privileges and disable unused accounts. Within 7 days: Enable database activity logging and implement network segmentation to limit database access to trusted application servers only. Monitor for unusual database connection patterns. Within 30 days: Contact PostgreSQL vendor for patched release timelines and develop a staged upgrade plan to transition to patched versions when available; prioritize production systems first.

PostgreSQL CVE-2026-6473

EUVD-2026-30281 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-05-14 PostgreSQL

GHSA-8rqw-w7xq-566r

RCE PostgreSQL Integer Overflow Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 15:01 EUVD

Analysis Generated

May 14, 2026 - 14:00 vuln.today

CVE Published

May 14, 2026 - 13:00 nvd

HIGH 8.8

DescriptionNVD

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AnalysisAI

Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. …

RemediationAI

Within 24 hours: Inventory all PostgreSQL instances (versions 14.x-18.x) and document current versions and access controls. Restrict database user accounts to minimum necessary privileges and disable unused accounts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-6473 vulnerability details – vuln.today

Back

PostgreSQL CVE-2026-6473

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code