CVE-2026-6638

HIGH EPSS 7.8%

Published May 14, 20261mo ago · Modified Jun 17, 20261w ago

8.8 CVSS 3.1

High

Published May 14, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

CVSS Details

Base Score

8.8

Exploitability

2.8

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

7.8% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 3

Vendor	Product	Version	Range
postgresql	postgresql	*	≥16.0 – <16.14
postgresql	postgresql	*	≥17.0 – <17.10
postgresql	postgresql	*	≥18.0 – <18.4

References 1

postgresql.org https://www.postgresql.org/support/security/CVE-2026-6638/

PatchVendor Advisory

Remediation

postgresql.org https://www.postgresql.org/support/security/CVE-2026-6638/

PatchVendor Advisory