Skip to main content

PostgreSQL CVE-2026-6638

| EUVD-2026-30290 LOW
SQL Injection (CWE-89)
2026-05-14 PostgreSQL GHSA-3835-x2rj-c3qj
SQLi PostgreSQL
3.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 14, 2026 - 15:01 EUVD
Analysis Generated
May 14, 2026 - 14:03 vuln.today
CVE Published
May 14, 2026 - 13:00 nvd
LOW 3.7

DescriptionNVD

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

AnalysisAI

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION REFRESH PUBLICATION allows authenticated local or network users with table creation privileges to execute arbitrary SQL queries with the publication subscriber's credentials. The attack is deferred until the next REFRESH PUBLICATION command is executed, requiring user interaction or scheduled maintenance. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6638 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy