149 matches found
Vulnerability in core server (CVE-2026-6638)
PostgreSQL REFRESH PUBLICATION allows SQL injection via table name SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at...
Vulnerability in core server (CVE-2026-6478)
PostgreSQL discloses MD5-hashed passwords via covert timing channel Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all...
Vulnerability in contrib module (CVE-2026-6637)
PostgreSQL refint allows stack buffer overflow and SQL injection Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a...
Vulnerability in client (CVE-2026-6477)
PostgreSQL libpq lo functions let server superuser overwrite client stack memory Use of inherently dangerous function PQfn..., resultisint=0, ... in PostgreSQL libpq loexport, loread, lolseek64, and lotell64 functions allows the server superuser to overwrite a client stack buffer with an...
Vulnerability in core server (CVE-2026-6473)
PostgreSQL server undersizes allocations, via integer wraparound Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL...
Vulnerability in core server (CVE-2026-6575)
PostgreSQL pgrestoreattributestats accepts values that cause query planning to read past end of stats array Buffer over-read in PostgreSQL function pgrestoreattributestats accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table...
Vulnerability in core server (CVE-2026-6474)
PostgreSQL timeofday can disclose portions of server memory Externally-controlled format string in PostgreSQL timeofday function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. The...
Vulnerability in client (CVE-2026-6475)
PostgreSQL pgbasebackup and pgrewind can overwrite unrelated files of origin superuser choice Symlink following in PostgreSQL pgbasebackup plain format and in pgrewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It...
Vulnerability in core server (CVE-2026-6479)
PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AFUNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do t...
Vulnerability in client (CVE-2026-6476)
PostgreSQL pgcreatesubscriber allows SQL injection via subscription name SQL injection in PostgreSQL pgcreatesubscriber allows an attacker with pgcreatesubscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pgcreatesubscriber next runs. Within major versions 17...
Vulnerability in core server (CVE-2026-6472)
PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use searchpath to find user-defined types, including extension-defined types. That is to say, the victim will execute...
Vulnerability in core server (CVE-2026-2006)
PostgreSQL missing validation of multibyte character length executes arbitrary code Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the...
Vulnerability in contrib module (CVE-2026-2005)
PostgreSQL pgcrypto heap buffer overflow executes arbitrary code Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. The...
Vulnerability in contrib module (CVE-2026-2004)
PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the...
Vulnerability in core server (CVE-2026-2003)
PostgreSQL oidvector discloses a few bytes of memory Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they...
Vulnerability in contrib module (CVE-2026-2007)
PostgreSQL pgtrgm heap buffer overflow writes pattern onto server memory Heap buffer overflow in PostgreSQL pgtrgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the...
Vulnerability in client (CVE-2025-12818)
PostgreSQL libpq undersizes allocations, via integer wraparound Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in...
Vulnerability in core server (CVE-2025-12817)
PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, fro...
Vulnerability in client (CVE-2025-8714)
PostgreSQL pgdump lets superuser of origin server execute arbitrary code in psql client Untrusted data inclusion in pgdump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to...
Vulnerability in core server (CVE-2025-8713)
PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intende...
Vulnerability in client (CVE-2025-8715)
PostgreSQL pgdump newline in object name executes arbitrary code in psql client and in restore target server Improper neutralization of newlines in pgdump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account...
Vulnerability in core server (CVE-2025-4207)
PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit...
Vulnerability in client (CVE-2025-1094)
PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral, PQescapeIdentifier, PQescapeString, and PQescapeStringConn allows a database input provider to achieve SQL...
Vulnerability in client (CVE-2024-10977)
PostgreSQL libpq retains an error message from man-in-the-middle Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long...
Vulnerability in core server (CVE-2024-10976)
PostgreSQL row security below e.g. subqueries disregards user ID changes Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user I...
Vulnerability in core server (CVE-2024-10979)
PostgreSQL PL/Perl environment variable changes execute arbitrary code Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables e.g. PATH. That often suffices to enable arbitrary code execution, even if...
Vulnerability in core server (CVE-2024-10978)
PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an...
Vulnerability in core server (CVE-2024-7348)
PostgreSQL relation replacement during pgdump executes arbitrary SQL Time-of-check Time-of-use TOCTOU race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pgdump, which is often a superuser. The attack involves replacing another...
Vulnerability in core server (CVE-2024-4317)
Restrict visibility of "pgstatsext" and "pgstatsextexprs" entries to the table owner Missing authorization in PostgreSQL built-in views pgstatsext and pgstatsextexprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other user...
Vulnerability in core server (CVE-2024-0985)
PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL UPDATE June 19, 2024 : Added v16 as impacted. Updated description to clarify the attack vector. Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute...
Vulnerability in core server (CVE-2023-5868)
Memory disclosure in aggregate function calls Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type...
Vulnerability in core server (CVE-2023-5870)
Role "pgsignalbackend" can signal certain superuser processes Documentation says the pgsignalbackend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the...
Vulnerability in core server (CVE-2023-5869)
Buffer overrun from integer overflow in array modification While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database...
Vulnerability in core server (CVE-2023-39417)
Extension script @substitutions@ within quoting allow SQL injection An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct dollar quoting, '', or "". No bundled extension is vulnerable. Vulnerable uses do appear in a documentation examp...
Vulnerability in core server (CVE-2023-39418)
MERGE fails to enforce UPDATE or SELECT row security policies PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store...
Vulnerability in core server (CVE-2023-2455)
Row security policies disregard user ID changes after inlining While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies ar...
Vulnerability in core server (CVE-2023-2454)
CREATE SCHEMA ... schemaelement defeats protective searchpath changes This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users. The PostgreSQL...
Vulnerability in client (CVE-2022-41862)
Client memory disclosure when connecting, with Kerberos, to modified server A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable...
Vulnerability in core server (CVE-2022-2625)
Extension scripts replace objects not belonging to the extension Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands. Some don't adhere to the documented rule to target only objects known to be extension members already. An attack requires permission to create non-temporary...
Vulnerability in core server (CVE-2022-1552)
Autovacuum, REINDEX, and others omit "security restricted operation" sandbox Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pgamcheck made incomplete efforts to operate safely when a privileged user is maintaining another user's objects. Those commands activated releva...
Vulnerability in core server (CVE-2021-23214)
Server processes unencrypted bytes from man-in-the-middle When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of...
Vulnerability in client (CVE-2021-23222)
libpq processes unencrypted bytes from man-in-the-middle A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. If more preconditions hold, the attacker can exfiltrate the client's password or othe...
Vulnerability in core server (CVE-2021-3677)
Memory disclosure in certain queries A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include...
Vulnerability in core server (CVE-2021-32029)
Memory disclosure in partitioned-table UPDATE ... RETURNING Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this...
Vulnerability in core server (CVE-2021-32027)
Buffer overrun from integer overflow in array subscripting calculations While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The PostgreSQL project thanks Tom Lane for reporting this problem...
Vulnerability in core server (CVE-2021-32028)
Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and...
Vulnerability in core server (CVE-2021-3393)
Partition constraint violation errors leak values of denied columns A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to...
Vulnerability in core server (CVE-2021-20229)
Single-column SELECT privilege enables reading all columns A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In...
Vulnerability in core server (CVE-2020-25695)
Multiple features escape "security restricted operation" sandbox An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. While promptly updating PostgreSQL is the best remediation for most users, a...
Vulnerability in client (CVE-2020-25696)
psql's \gset allows overwriting specially treated variables The \gset meta-command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute...