What is the CVSS score of CVE-2026-6479?

CVE-2026-6479 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of PostgreSQL are affected by CVE-2026-6479?

CVE-2026-6479 is a remote denial-of-service vulnerability affecting PostgreSQL that allows unauthenticated attackers to crash database servers through malformed SSL/GSS negotiation, potentially…. A patch is available.

How to fix or mitigate CVE-2026-6479?

Within 24 hours: Inventory all PostgreSQL instances and identify versions below 18.4, 17.10, 16.14, 15.18, and 14.23; assess production vs. non-production status. Within 7 days: Apply vendor-released patches to all PostgreSQL instances in test and staging environments; validate application functionality post-patch. Within 30 days: Complete patch deployment to all production PostgreSQL servers, using a phased rollout approach with scheduled maintenance windows to minimize availability impact.

PostgreSQL CVE-2026-6479

EUVD-2026-30288 HIGH

Uncontrolled Recursion (CWE-674)

2026-05-14 PostgreSQL

GHSA-hwfh-mh4f-m67f

Denial Of Service PostgreSQL Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 15:01 EUVD

Analysis Generated

May 14, 2026 - 14:01 vuln.today

CVE Published

May 14, 2026 - 13:00 nvd

HIGH 7.5

DescriptionNVD

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AnalysisAI

Denial of service in PostgreSQL allows remote unauthenticated attackers to crash the database server via recursive SSL/GSS negotiation when connecting to AF_UNIX or TCP sockets (if SSL and GSS are both disabled). Affects all PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. …

RemediationAI

Within 24 hours: Inventory all PostgreSQL instances and identify versions below 18.4, 17.10, 16.14, 15.18, and 14.23; assess production vs. non-production status. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-6479 vulnerability details – vuln.today

Back

PostgreSQL CVE-2026-6479

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code