Skip to main content

PostgreSQL EUVDEUVD-2026-30286

| CVE-2026-6475 HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-05-14 PostgreSQL GHSA-7h2q-899j-9636
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 14, 2026 - 15:01 EUVD
Analysis Generated
May 14, 2026 - 14:01 vuln.today
CVE Published
May 14, 2026 - 13:00 nvd
HIGH 8.8

DescriptionCVE.org

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AnalysisAI

Symlink following vulnerabilities in PostgreSQL pg_basebackup and pg_rewind enable database superusers to overwrite arbitrary files on the destination server's filesystem, leading to local OS account takeover. Exploitation requires a malicious origin database superuser convincing an administrator to run these backup/replication tools (UI:R in CVSS), with practical impact limited to scenarios where database files are transferred between systems or snapshotted before server restart. No public exploit identified at time of analysis. CVSS 8.8 reflects theoretical severity, but real-world risk depends on specific operational workflows involving backup file transfers across trust boundaries.

Technical ContextAI

The vulnerability exploits symlink following (CWE-61) in two PostgreSQL administrative utilities: pg_basebackup in plain format mode and pg_rewind. These tools copy database files from an origin server to a destination. When processing symlinks in the origin database directory, the utilities fail to properly validate file paths, allowing a malicious origin superuser to craft symlinks that resolve to sensitive files on the destination filesystem (e.g., /var/lib/postgres/.bashrc). When the tool follows these symlinks during file copy operations, it overwrites the target files with attacker-controlled content. This represents a confused deputy attack where legitimate administrative tools are tricked into performing unauthorized file operations. The CPE identifier cpe:2.3:a:n/a:postgresql applies to all vulnerable PostgreSQL server installations prior to patched versions.

RemediationAI

Upgrade to PostgreSQL 14.23, 15.18, 16.14, 17.10, or 18.4 depending on your major version branch. Patches available through standard PostgreSQL distribution channels and official vendor advisory at https://www.postgresql.org/support/security/CVE-2026-6475/. If immediate patching is not feasible, implement these mitigations: (1) avoid using pg_basebackup plain format-use tar format instead, which is not vulnerable; (2) inspect and sanitize origin database file permissions before running pg_basebackup or pg_rewind, specifically checking for symlinks in the origin data directory; (3) run these utilities only against trusted origin databases under your administrative control; (4) implement mandatory file integrity monitoring on destination postgres OS account home directory files (.bashrc, .bash_profile, .ssh/authorized_keys) with alerts before server restart. Note that switching to tar format may impact existing backup automation scripts. Sandboxing pg_basebackup/pg_rewind with restricted filesystem access using AppArmor or SELinux provides defense-in-depth but may interfere with legitimate backup operations requiring broad filesystem access.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-30286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy