Skip to main content

PostgreSQL EUVDEUVD-2026-24035

| CVE-2026-39946 MEDIUM
SQL Injection (CWE-89)
2026-04-21 GitHub_M GHSA-6vgr-cp5c-ffx3
4.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Red Hat
4.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 13:28 nvd
Patch available
Patch available
Apr 21, 2026 - 02:01 EUVD
Analysis Generated
Apr 21, 2026 - 01:23 vuln.today
CVSS changed
Apr 21, 2026 - 01:22 NVD
4.6 (MEDIUM)
EUVD ID Assigned
Apr 21, 2026 - 01:15 euvd
EUVD-2026-24035
Analysis Generated
Apr 21, 2026 - 01:15 vuln.today
CVE Published
Apr 21, 2026 - 00:19 nvd
MEDIUM 4.6

DescriptionGitHub Advisory

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability was original from HashiCorp Vault. The vulnerability is addressed in v2.5.3. As a workaround, audit table schemas and ensure database users cannot create new schemas and grant privileges on them.

AnalysisAI

OpenBao 2.5.2 and earlier fails to properly quote PostgreSQL schema names during role revocation in the PostgreSQL database secrets engine, allowing authenticated high-privilege administrators to execute arbitrary SQL injection as the database management user. The vulnerability affects the credentials management workflow when revoking database roles, potentially compromising database integrity. A vendor-released patch (version 2.5.3) is available.

Technical ContextAI

OpenBao's PostgreSQL database secrets engine manages dynamic database credentials by creating temporary roles and revoking them when leases expire or are manually revoked. The vulnerability resides in the SQL statement construction for role revocation, specifically in the handling of schema names supplied by PostgreSQL. CWE-89 (SQL Injection) indicates insufficient input validation or parameterization of schema identifiers in dynamically constructed SQL queries. When a schema name contains special characters or SQL metacharacters that are not properly escaped or quoted, an attacker with high privilege access to OpenBao's API can craft malicious schema names to inject arbitrary SQL commands. The affected CPE (cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*) indicates all versions prior to 2.5.3 are impacted. This is a direct port of a vulnerability originally discovered in HashiCorp Vault, indicating the code pattern was inherited during OpenBao's fork from Vault.

RemediationAI

Upgrade OpenBao to version 2.5.3 or later immediately - this is the primary and definitive fix provided by the vendor. The patch addresses the SQL injection vulnerability by implementing proper database quoting on schema names. If immediate upgrade is not feasible, apply the workaround provided by OpenBao: audit all table schemas in your PostgreSQL databases and ensure that database users configured for OpenBao role management cannot create new schemas or grant privileges on them. This limits the attacker's ability to inject arbitrary schema names, though it does not eliminate the injection vulnerability itself. The workaround has the trade-off of reducing database flexibility - schema creation restrictions may impact legitimate administrative workflows or future application changes. Review PostgreSQL GRANT statements for OpenBao-managed accounts and restrict them to the minimum necessary permissions. Monitor PostgreSQL logs for unexpected SQL commands or schema creation attempts from OpenBao-managed accounts as a compensating control.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-24035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy