Vulnerability in core server (CVE-2020-14349)

Uncontrolled search path element in logical replication The PostgreSQL searchpath setting determines schemas searched for tables, functions, operators, etc. The CVE-2018-1058 fix caused most PostgreSQL-provided client applications to sanitize searchpath, but logical replication continued to leave...

Vulnerability in core server (CVE-2015-0241)

Buffer overruns in "tochar" functions...

Vulnerability in client (CVE-2021-23222)

libpq processes unencrypted bytes from man-in-the-middle A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. If more preconditions hold, the attacker can exfiltrate the client's password or othe...

Vulnerability in client (CVE-2025-8715)

PostgreSQL pgdump newline in object name executes arbitrary code in psql client and in restore target server Improper neutralization of newlines in pgdump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account...

Vulnerability in core server (CVE-2015-0244)

An error in extended protocol message reading...

Vulnerability in core server (CVE-2023-5870)

Role "pgsignalbackend" can signal certain superuser processes Documentation says the pgsignalbackend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the...

Vulnerability in core server (CVE-2007-4769)

Three vulnearbilities in the regular expression handling libraries can be exploited to cause a backend crash, infinite loops or memory exhaustion. This vulnearbility can be exploited through frontend applications that allow unfiltered regular expressions to be passed in queries...

Vulnerability in core server (CVE-2007-6600)

Two vulnerabilities in how ANALYZE executes user defined functions that are part of expression indexes allows users to gain superuser privileges. A valid login that has permissions to create functions and tables is required to exploit this vulnearbility...

Vulnerability in contrib module (CVE-2007-6601)

DBLink functions combined with local trust or ident access control could be used by a malicious user togain superuser privileges. A valid login is required to exploit this vulnerability...

Vulnerability in core server (CVE-2007-0555)

A vulnerability allows suppressing the normal checks that a SQL function returns the data type it's declared to do. These errors can easily be exploited to cause a backend crash, and in principle might be used to read database content that the user should not be able to access...

Vulnerability in core server (CVE-2006-5542)

A bug in the logging of V3 protocol messages can cause a denial of service. A valid login is required to exploit this vulnerability...

Vulnerability in core server (CVE-2006-5540)

A bug in the handling of aggregates in UPDATE can cause a denial of service. A valid login is required to exploit this vulnerability...

Vulnerability in client contrib module (CVE-2004-0977)

Contrib script makeoidjoinscheck uses unsafe temporary files. This script is not a user-facing script...

Vulnerability in core server (CVE-2005-0247)

Multiple buffer overflows in the PL/PGSQL parser may allow attackers to execute arbitrary code. A valid login is required to exploit this vulnerability...

Vulnerability in core server (CVE-2006-0553)

A bug in the handling of SET ROLE allows escalation of privileges to any other database user, including superuser. A valid login is required to exploit this vulnerability...

Vulnerability in core server (CVE-2022-1552)

Autovacuum, REINDEX, and others omit "security restricted operation" sandbox Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pgamcheck made incomplete efforts to operate safely when a privileged user is maintaining another user's objects. Those commands activated releva...

Vulnerability in core server (CVE-2019-10129)

Memory disclosure in partition routing Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement to a partitioned table...

Vulnerability in core server (CVE-2006-0678)

A bug in the handling of SET SESSION AUTHORIZATION can cause a backend crash in Assert enabled builds. This will cause the postmaster to restart all backend, resulting in a denial of service. A valid login is required to exploit this vulnerability...

Vulnerability in client (CVE-2022-41862)

Client memory disclosure when connecting, with Kerberos, to modified server A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable...

Vulnerability in core server (CVE-2024-10976)

PostgreSQL row security below e.g. subqueries disregards user ID changes Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user I...

Vulnerability in core server (CVE-2023-2455)

Row security policies disregard user ID changes after inlining While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies ar...

Vulnerability in core server (CVE-2014-8161)

Constraint violation errors can cause display of values in columns which the user would not normally have rights to see...

Vulnerability in core server (CVE-2023-5868)

Memory disclosure in aggregate function calls Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type...

Vulnerability in core server (CVE-2021-23214)

Server processes unencrypted bytes from man-in-the-middle When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of...

Vulnerability in core server (CVE-2022-2625)

Extension scripts replace objects not belonging to the extension Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands. Some don't adhere to the documented rule to target only objects known to be extension members already. An attack requires permission to create non-temporary...

Vulnerability in core server (CVE-2023-2454)

CREATE SCHEMA ... schemaelement defeats protective searchpath changes This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users. The PostgreSQL...

Vulnerability in contrib module (CVE-2005-1410)

The tsearch2 contrib module declares several functions as internal even though they don't take an internal argument. This allows attackers to cause a denial of service and may possibly have other impacts. A valid login is required to exploit this vulnerability.Note! See the announcement for speci...

Vulnerability in contrib module (CVE-2015-0243)

Memory errors in functions in the pgcrypto extension...

Vulnerability in core server (CVE-2023-39418)

MERGE fails to enforce UPDATE or SELECT row security policies PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store...

Vulnerability in client (CVE-2025-8714)

PostgreSQL pgdump lets superuser of origin server execute arbitrary code in psql client Untrusted data inclusion in pgdump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to...

Vulnerability in core server (CVE-2026-2006)

PostgreSQL missing validation of multibyte character length executes arbitrary code Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the...

Vulnerability in core server (CVE-2025-8713)

PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intende...

Vulnerability in core server (CVE-2025-12817)

PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, fro...

Vulnerability in contrib module (CVE-2026-2004)

PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the...

Vulnerability in core server (CVE-2026-2003)

PostgreSQL oidvector discloses a few bytes of memory Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they...

Vulnerability in client (CVE-2025-12818)

PostgreSQL libpq undersizes allocations, via integer wraparound Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in...

Vulnerability in contrib module (CVE-2026-2005)

PostgreSQL pgcrypto heap buffer overflow executes arbitrary code Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. The...

Vulnerability in contrib module (CVE-2026-2007)

PostgreSQL pgtrgm heap buffer overflow writes pattern onto server memory Heap buffer overflow in PostgreSQL pgtrgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the...

Vulnerability in core server (CVE-2026-6575)

PostgreSQL pgrestoreattributestats accepts values that cause query planning to read past end of stats array Buffer over-read in PostgreSQL function pgrestoreattributestats accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table...

Vulnerability in core server (CVE-2026-6638)

PostgreSQL REFRESH PUBLICATION allows SQL injection via table name SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at...

Vulnerability in client (CVE-2026-6477)

PostgreSQL libpq lo functions let server superuser overwrite client stack memory Use of inherently dangerous function PQfn..., resultisint=0, ... in PostgreSQL libpq loexport, loread, lolseek64, and lotell64 functions allows the server superuser to overwrite a client stack buffer with an...

Vulnerability in core server (CVE-2026-6479)

PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AFUNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do t...

Vulnerability in client (CVE-2026-6476)

PostgreSQL pgcreatesubscriber allows SQL injection via subscription name SQL injection in PostgreSQL pgcreatesubscriber allows an attacker with pgcreatesubscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pgcreatesubscriber next runs. Within major versions 17...

Vulnerability in core server (CVE-2026-6472)

PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use searchpath to find user-defined types, including extension-defined types. That is to say, the victim will execute...

Vulnerability in core server (CVE-2026-6478)

PostgreSQL discloses MD5-hashed passwords via covert timing channel Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all...

Vulnerability in core server (CVE-2026-6474)

PostgreSQL timeofday can disclose portions of server memory Externally-controlled format string in PostgreSQL timeofday function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. The...

Vulnerability in contrib module (CVE-2026-6637)

PostgreSQL refint allows stack buffer overflow and SQL injection Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a...

Vulnerability in core server (CVE-2026-6473)

PostgreSQL server undersizes allocations, via integer wraparound Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL...

Vulnerability in client (CVE-2026-6475)

PostgreSQL pgbasebackup and pgrewind can overwrite unrelated files of origin superuser choice Symlink following in PostgreSQL pgbasebackup plain format and in pgrewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It...