CVE-2026-6638
published 2026-05-14CVE-2026-6638: SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.18%
7.8th percentile
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postgresql | postgresql | >= 16 < 16.14 | 16.14 |
| postgresql | postgresql | >= 16.0 < 16.14 | 16.14 |
| postgresql | postgresql | >= 17 < 17.10 | 17.10 |
| postgresql | postgresql | >= 17.0 < 17.10 | 17.10 |
| postgresql | postgresql | >= 18 < 18.4 | 18.4 |
| postgresql | postgresql | >= 18.0 < 18.4 | 18.4 |
| ubuntu | postgresql-14 | — | — |
| ubuntu | postgresql-16 | — | — |
| ubuntu | postgresql-17 | — | — |
| ubuntu | postgresql-18 | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
PostgreSQL up to 16.13/17.9/18.3 Subscription sql injection
vuldb·2026-05-14·CVSS 3.7
CVE-2026-6638 [LOW] PostgreSQL up to 16.13/17.9/18.3 Subscription sql injection
A vulnerability has been found in PostgreSQL up to 16.13/17.9/18.3 and classified as critical. This affects an unknown function of the component Subscription Handler. This manipulation causes sql injection.
This vulnerability is tracked as CVE-2026-6638. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
GHSA
GHSA-3835-x2rj-c3qj: SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION
ghsa_unreviewed·2026-05-14
CVE-2026-6638 [LOW] CWE-89 GHSA-3835-x2rj-c3qj: SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.
Ubuntu
PostgreSQL vulnerabilities
vendor_ubuntu·2026-05-21·CVSS 5.4
CVE-2026-6475 [MEDIUM] PostgreSQL vulnerabilities
Title: PostgreSQL vulnerabilities
Summary: Several security issues were fixed in PostgreSQL.
It was discovered that PostgreSQL did not correctly enforce authorization
for CREATE TYPE. An attacker could possibly use this issue to execute
arbitrary SQL functions. (CVE-2026-6472)
It was discovered that PostgreSQL incorrectly handled large user input in
multiple server features. An attacker could possibly use this issue to
cause PostgreSQL to crash, resulting in a denial of service, or execute
arbitrary code. (CVE-2026-6473)
It was discovered that PostgreSQL incorrectly handled format strings in
the timeofday() function. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-6474)
It was discovered that PostgreSQL incorrectly followed symbolic links in
pg_bas
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published