Skip to main content

PostgreSQL CVE-2026-6638

| EUVDEUVD-2026-30290 LOW
SQL Injection (CWE-89)
2026-05-14 PostgreSQL GHSA-3835-x2rj-c3qj
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 14, 2026 - 15:01 EUVD
Analysis Generated
May 14, 2026 - 14:03 vuln.today
CVE Published
May 14, 2026 - 13:00 nvd
LOW 3.7

DescriptionCVE.org

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

AnalysisAI

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION REFRESH PUBLICATION allows authenticated local or network users with table creation privileges to execute arbitrary SQL queries with the publication subscriber's credentials. The attack is deferred until the next REFRESH PUBLICATION command is executed, requiring user interaction or scheduled maintenance. PostgreSQL 16.x, 17.x, and 18.x versions prior to 16.14, 17.10, and 18.4 respectively are vulnerable; earlier versions are unaffected. No public exploit code or active exploitation has been identified.

Technical ContextAI

PostgreSQL's logical replication subsystem enables subscribers to replicate tables from a remote publisher using subscription objects. The ALTER SUBSCRIPTION command with REFRESH PUBLICATION parameter automatically detects schema changes on the publisher side. The vulnerability stems from insufficient input validation (CWE-89: SQL injection) in how subscription metadata is processed when refreshing table definitions. An attacker with CREATE TABLE privileges on the subscriber can craft malicious table definitions that, when matched against publisher schemas during refresh, inject SQL commands executed in the context of the replication worker process, which runs with the publisher connection's credentials.

RemediationAI

Upgrade to PostgreSQL 16.14, 17.10, 18.4, or any subsequent release in the respective major version series. For organizations unable to patch immediately, implement role-based access control (RBAC) restricting CREATE TABLE privileges on subscribers to trusted database administrators only, preventing untrusted users from injecting malicious table definitions. Alternatively, disable automatic schema refresh by avoiding ALTER SUBSCRIPTION REFRESH PUBLICATION commands in favor of manual table management, accepting the operational burden of synchronizing schema changes. Monitor logical replication worker logs for unexpected SQL execution. These workarounds maintain replication functionality while reducing exploit surface, though they impose administrative overhead and may delay detection of intentional schema changes. Security advisory available at https://www.postgresql.org/support/security/CVE-2026-6638/.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-6638 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy