CVE-2026-6476
Published: May 18, 2026Last modified: May 19, 2026
Description
SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.2 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | HIGH |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Notes
https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | postgresql15 | Not affected (15.17-r0) |
| 25 LTS | postgresql17 | Fixed (17.10-r0) | |
| Stream | postgresql18 | Fixed (18.4-r0) |