Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0612
Vulnerability from certfr_avis - Published: 2026-05-19 - Updated: 2026-05-19
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 postgresql 16.12-1 versions ant\u00e9rieures \u00e0 16.14-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 gnutls 3.8.3-8 versions ant\u00e9rieures \u00e0 3.8.3-9",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 nginx 1.28.3-1 versions ant\u00e9rieures \u00e0 1.28.3-2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-33845",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33845"
},
{
"name": "CVE-2026-6474",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6474"
},
{
"name": "CVE-2026-6472",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6472"
},
{
"name": "CVE-2026-6479",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6479"
},
{
"name": "CVE-2026-40701",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40701"
},
{
"name": "CVE-2026-42946",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42946"
},
{
"name": "CVE-2026-6637",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6637"
},
{
"name": "CVE-2026-6473",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6473"
},
{
"name": "CVE-2026-42934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42934"
},
{
"name": "CVE-2026-6638",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6638"
},
{
"name": "CVE-2026-6478",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6478"
},
{
"name": "CVE-2026-6475",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6475"
},
{
"name": "CVE-2026-6477",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6477"
},
{
"name": "CVE-2026-42945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42945"
},
{
"name": "CVE-2026-40460",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40460"
}
],
"initial_release_date": "2026-05-19T00:00:00",
"last_revision_date": "2026-05-19T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0612",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6478",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6478"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6637",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6637"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42934",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42934"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6474",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6474"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6473",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6473"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6472",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6472"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40701",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40701"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40460",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40460"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42945",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42945"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6479",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6479"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6475",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6475"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33845",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33845"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6477",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6477"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42946",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42946"
},
{
"published_at": "2026-05-16",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6638",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6638"
}
]
}
CVE-2026-6477 (GCVE-0-2026-6477)
Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-07-02 12:04
VLAI
EPSS
Title
PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory
Summary
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Severity
8.8 (High)
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
29 references
| URL | Tags |
|---|---|
| https://www.postgresql.org/support/security/CVE-2… | |
| https://access.redhat.com/security/cve/CVE-2026-6477 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477442 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:27718 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27743 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27742 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27738 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26181 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34362 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34363 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29815 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:32994 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34043 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26561 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33497 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29953 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33441 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26524 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29904 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:32983 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26525 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29212 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28037 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26203 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26204 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27741 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:21182 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:22878 | vendor-advisoryx_refsource_REDHAT |
Impacted products
23 products
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.4
(rpm)
Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm) |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream AUS (v.8.4) |
cpe:/a:redhat:rhel_aus:8.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4) |
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream AUS (v.8.6) |
cpe:/a:redhat:rhel_aus:8.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6) |
cpe:/a:redhat:rhel_eus_long_life:8.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.8.8) |
cpe:/a:redhat:rhel_e4s:8.8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream TUS (v.8.8) |
cpe:/a:redhat:rhel_tus:8.8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.4) |
cpe:/a:redhat:rhel_e4s:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
Credits
The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T03:56:18.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-14T13:00:12.497Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in PostgreSQL libpq. A server superuser can exploit a buffer overflow vulnerability in the PQfn function, which is used by client functions such as lo_export(), lo_read(), lo_lseek64(), and lo_tell64(). This allows the superuser to send an arbitrarily large response, overwriting the client\u0027s stack memory, specifically in tools like psql and pg_dump. This could lead to arbitrary code execution on the client system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:04:58.046Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-6477"
},
{
"name": "RHBZ#2477442",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477442"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6477.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27718"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27743"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27742"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27738"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34362"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34363"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29815"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:32994"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34043"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26561"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33497"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29953"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33441"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26524"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29904"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:32983"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26525"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29212"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28037"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26203"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26204"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27741"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21182"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22878"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27718: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27743: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27742: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27738: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26181: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:34362: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34363: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:29815: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:32994: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:34043: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:26561: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33497: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:29953: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:33441: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:26524: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:29904: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:32983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26525: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:29212: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:28037: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26203: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26204: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:27741: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:21182: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:22878: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-14T14:01:31.087Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-14T13:00:12.497Z",
"value": "Made public."
}
],
"title": "postgresql: PostgreSQL libpq: Buffer overflow allows server superuser to overwrite client stack memory",
"workarounds": [
{
"lang": "en",
"value": "Only connect to trusted PostgreSQL servers. Avoid using psql or pg_dump against untrusted or potentially compromised database servers."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.4",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.10",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.14",
"status": "affected",
"version": "16",
"versionType": "rpm"
},
{
"lessThan": "15.18",
"status": "affected",
"version": "15",
"versionType": "rpm"
},
{
"lessThan": "14.23",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \\lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-242",
"description": "Use of Inherently Dangerous Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:00:12.497Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2026-6477/"
}
],
"title": "PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory",
"workarounds": [
{
"lang": "en",
"value": "use PQexecPrepared(), not PQfn(..., result_is_int=0, ...) or its lo_* wrappers"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-6477",
"datePublished": "2026-05-14T13:00:12.497Z",
"dateReserved": "2026-04-17T00:44:19.965Z",
"dateUpdated": "2026-07-02T12:04:58.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6478 (GCVE-0-2026-6478)
Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-07-02 12:04
VLAI
EPSS
Title
PostgreSQL discloses MD5-hashed passwords via covert timing channel
Summary
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Severity
6.5 (Medium)
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-385 - Covert Timing Channel
Assigner
References
32 references
| URL | Tags |
|---|---|
| https://www.postgresql.org/support/security/CVE-2… | |
| https://access.redhat.com/security/cve/CVE-2026-6478 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2477447 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:27718 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27743 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27742 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27738 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28999 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28208 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26181 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28143 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34362 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34363 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29815 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:32994 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34043 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26561 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33497 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29953 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33441 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26524 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29904 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:32983 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26525 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29212 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28037 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26203 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26204 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:27741 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:21182 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:22878 | vendor-advisoryx_refsource_REDHAT |
Impacted products
23 products
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.4
(rpm)
Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm) |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream AUS (v.8.4) |
cpe:/a:redhat:rhel_aus:8.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4) |
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream AUS (v.8.6) |
cpe:/a:redhat:rhel_aus:8.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6) |
cpe:/a:redhat:rhel_eus_long_life:8.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.8.8) |
cpe:/a:redhat:rhel_e4s:8.8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream TUS (v.8.8) |
cpe:/a:redhat:rhel_tus:8.8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.4) |
cpe:/a:redhat:rhel_e4s:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
Credits
The PostgreSQL project thanks Joe Conway for reporting this problem.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:32:42.868340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:33:03.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-14T13:00:13.174Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts databases that retain MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-385",
"description": "Covert Timing Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:04:57.747Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-6478"
},
{
"name": "RHBZ#2477447",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477447"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6478.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27718"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27743"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27742"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27738"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28999"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28208"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26181"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28143"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34362"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34363"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29815"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:32994"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34043"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26561"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33497"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29953"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33441"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26524"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29904"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:32983"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26525"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29212"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28037"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26203"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26204"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27741"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21182"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22878"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27718: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:27743: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27742: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:27738: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:28999: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:28208: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:26181: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:28143: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:34362: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:34363: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
},
{
"lang": "en",
"value": "RHSA-2026:29815: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:32994: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
},
{
"lang": "en",
"value": "RHSA-2026:34043: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:26561: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:33497: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:29953: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:33441: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:26524: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:29904: Red Hat Enterprise Linux AppStream E4S (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:32983: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:26525: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:29212: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:28037: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26203: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26204: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:27741: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:21182: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:22878: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-14T14:01:45.568Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-14T13:00:13.174Z",
"value": "Made public."
}
],
"title": "postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, ensure that all PostgreSQL user passwords are not hashed using MD5. Users should migrate to stronger hashing algorithms such as `scram-sha-256`. This can be achieved by altering user passwords, which will automatically update their hash to the currently configured default. For example, to change a user\u0027s password: `ALTER USER username WITH PASSWORD \u0027new_password\u0027;` This action will require users to re-authenticate. If a service relies on these credentials, it may require a restart to pick up the new authentication details."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.4",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.10",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.14",
"status": "affected",
"version": "16",
"versionType": "rpm"
},
{
"lessThan": "15.18",
"status": "affected",
"version": "15",
"versionType": "rpm"
},
{
"lessThan": "14.23",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "victim user has a usable MD5 password"
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Joe Conway for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-385",
"description": "Covert Timing Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:00:13.174Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2026-6478/"
}
],
"title": "PostgreSQL discloses MD5-hashed passwords via covert timing channel",
"workarounds": [
{
"lang": "en",
"value": "reset password with password_encryption=scram-sha-256"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-6478",
"datePublished": "2026-05-14T13:00:13.174Z",
"dateReserved": "2026-04-17T00:44:57.549Z",
"dateUpdated": "2026-07-02T12:04:57.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6479 (GCVE-0-2026-6479)
Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:26
VLAI
EPSS
Title
PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion
Summary
Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.4
(rpm)
Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm) |
Credits
The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:26:13.223741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:26:20.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.4",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.10",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.14",
"status": "affected",
"version": "16",
"versionType": "rpm"
},
{
"lessThan": "15.18",
"status": "affected",
"version": "15",
"versionType": "rpm"
},
{
"lessThan": "14.23",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:00:13.859Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2026-6479/"
}
],
"title": "PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion",
"workarounds": [
{
"lang": "en",
"value": "enable SSL and/or GSS; disable unix_socket_directories"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-6479",
"datePublished": "2026-05-14T13:00:13.859Z",
"dateReserved": "2026-04-17T00:45:37.869Z",
"dateUpdated": "2026-05-14T15:26:20.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6637 (GCVE-0-2026-6637)
Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-15 03:56
VLAI
EPSS
Title
PostgreSQL refint allows stack buffer overflow and SQL injection
Summary
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.4
(rpm)
Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) Affected: 15 , < 15.18 (rpm) Affected: 0 , < 14.23 (rpm) |
Credits
The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T03:56:19.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.4",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.10",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.14",
"status": "affected",
"version": "16",
"versionType": "rpm"
},
{
"lessThan": "15.18",
"status": "affected",
"version": "15",
"versionType": "rpm"
},
{
"lessThan": "14.23",
"status": "affected",
"version": "0",
"versionType": "rpm"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "superuser previously installed the refint extension"
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "Stack buffer overflow in PostgreSQL module \"refint\" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a \"refint\" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:00:15.223Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2026-6637/"
}
],
"title": "PostgreSQL refint allows stack buffer overflow and SQL injection"
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-6637",
"datePublished": "2026-05-14T13:00:15.223Z",
"dateReserved": "2026-04-19T19:58:20.340Z",
"dateUpdated": "2026-05-15T03:56:19.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6638 (GCVE-0-2026-6638)
Vulnerability from cvelistv5 – Published: 2026-05-14 13:00 – Updated: 2026-05-14 15:28
VLAI
EPSS
Title
PostgreSQL REFRESH PUBLICATION allows SQL injection via table name
Summary
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
18 , < 18.4
(rpm)
Affected: 17 , < 17.10 (rpm) Affected: 16 , < 16.14 (rpm) |
Credits
The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:28:21.916462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:28:30.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"lessThan": "18.4",
"status": "affected",
"version": "18",
"versionType": "rpm"
},
{
"lessThan": "17.10",
"status": "affected",
"version": "17",
"versionType": "rpm"
},
{
"lessThan": "16.14",
"status": "affected",
"version": "16",
"versionType": "rpm"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "attacker has permission to create non-temporary subscriber objects with names appearing in the publication"
},
{
"lang": "en",
"value": "victim has set origin=none on the subscription"
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription\u0027s publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:00:15.848Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://www.postgresql.org/support/security/CVE-2026-6638/"
}
],
"title": "PostgreSQL REFRESH PUBLICATION allows SQL injection via table name"
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-6638",
"datePublished": "2026-05-14T13:00:15.848Z",
"dateReserved": "2026-04-19T19:58:21.650Z",
"dateUpdated": "2026-05-14T15:28:30.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…