GHSA-R73H-97W8-M54H
Vulnerability from github – Published: 2026-05-18 17:53 – Updated: 2026-05-18 17:53Summary
SQL injection in Postgrex.Notifications.listen/3: the channel argument is interpolated straight into LISTEN "..." / UNLISTEN "..." without escaping the " character. Any caller that lets a user influence the channel name (e.g. a pub/sub bridge that uses a tenant id or topic slug as the channel) and the name is not sanitized can execute arbitrary SQL on the notifications connection.
Only those using the Postgrex.Notifications directly or via a dependency, with a non-sanitized channel name are vulnerable. Ecto does not use Postgrex.Notifications by default, but you must validate if any other dependency does.
Details
PostgreSQL escapes a " inside a quoted identifier by doubling it to "". Postgrex doesn't do that doubling, so a " inside channel closes the identifier early and everything after it is parsed as SQL on the same connection.
The notifications connection runs as whatever DB role the app is configured with. Unlike the Postgrex.query/4 API, there's no extended-protocol guard here: LISTEN/UNLISTEN are sent as simple queries, so multi-statement payloads work and the attacker can chain ; CREATE TABLE …, ; DROP …, ; CREATE ROLE …, etc.
Impact
SQL injection on the notifications connection. Affects any application that calls Postgrex.Notifications.listen/3 (or unlisten/3) with a channel name derived from untrusted input. Executes as the configured DB user with no protocol-level limit on what can be chained, so the realistic blast radius is read/modify/destroy on any data the app's DB role can reach.
Fix
Upgrade to latest Postgrex v0.22.2 or later. Altenratively, sanitize any user input given as channel name by making sure it doesn't include quotes as well as null bytes (not strictly required, but recommended):
if String.contains?(channel_name, ["\"", "\0"]) do
raise "bad channel name"
end
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "postgrex"
},
"ranges": [
{
"events": [
{
"introduced": "0.16.0"
},
{
"fixed": "0.22.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32687"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:53:17Z",
"nvd_published_at": "2026-05-12T15:16:12Z",
"severity": "HIGH"
},
"details": "### Summary\n\nSQL injection in `Postgrex.Notifications.listen/3`: the `channel` argument is interpolated straight into `LISTEN \"...\"` / `UNLISTEN \"...\"` without escaping the `\"` character. Any caller that lets a user influence the channel name (e.g. a pub/sub bridge that uses a tenant id or topic slug as the channel) and the name is not sanitized can execute arbitrary SQL on the notifications connection.\n\nOnly those using the `Postgrex.Notifications` directly or via a dependency, with a non-sanitized channel name are vulnerable. Ecto does not use Postgrex.Notifications by default, but you must validate if any other dependency does.\n\n### Details\n\nPostgreSQL escapes a `\"` inside a quoted identifier by doubling it to `\"\"`. Postgrex doesn\u0027t do that doubling, so a `\"` inside `channel` closes the identifier early and everything after it is parsed as SQL on the same connection.\n\nThe notifications connection runs as whatever DB role the app is configured with. Unlike the `Postgrex.query/4` API, there\u0027s no extended-protocol guard here: `LISTEN`/`UNLISTEN` are sent as simple queries, so multi-statement payloads work and the attacker can chain `; CREATE TABLE \u2026`, `; DROP \u2026`, `; CREATE ROLE \u2026`, etc.\n\n### Impact\n\nSQL injection on the notifications connection. Affects any application that calls `Postgrex.Notifications.listen/3` (or `unlisten/3`) with a channel name derived from untrusted input. Executes as the configured DB user with no protocol-level limit on what can be chained, so the realistic blast radius is read/modify/destroy on any data the app\u0027s DB role can reach.\n\n### Fix\n\nUpgrade to latest Postgrex v0.22.2 or later. Altenratively, sanitize any user input given as channel name by making sure it doesn\u0027t include quotes as well as null bytes (not strictly required, but recommended):\n\n```elixir\nif String.contains?(channel_name, [\"\\\"\", \"\\0\"]) do\n raise \"bad channel name\"\nend\n```",
"id": "GHSA-r73h-97w8-m54h",
"modified": "2026-05-18T17:53:17Z",
"published": "2026-05-18T17:53:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-r73h-97w8-m54h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32687"
},
{
"type": "WEB",
"url": "https://github.com/elixir-ecto/postgrex/commit/7cdedbd4316bb65f82e6a9a4f922c0ac491cb770"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-32687.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/elixir-ecto/ecto"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.