PatchSiren cyber security CVE debrief

CVE-2026-32687 elixir-ecto CVE debrief

CVE-2026-32687 is a SQL injection issue in elixir-ecto/postgrex’s notifications handling. If an attacker can influence the channel name passed to LISTEN/UNLISTEN, the value is interpolated into SQL without escaping double quotes, which can break out of the quoted identifier and append additional SQL. The same pattern is also present when reconnect logic replays subscriptions in handle_connect/1.

Vendor: elixir-ecto
Product: postgrex
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-12
Original CVE updated: 2026-05-21
Advisory published: 2026-05-12
Advisory updated: 2026-05-21

Who should care

Teams running Elixir applications that use postgrex notifications, especially any code that accepts channel names from untrusted input or dynamically constructs subscription names. Operational teams should also care if reconnect behavior could replay stored subscriptions.

Technical summary

The supplied record says the vulnerable routines are Elixir.Postgrex.Notifications:listen/3, unlisten/3, and handle_connect/1 in lib/postgrex/notifications.ex. The channel argument is interpolated directly into LISTEN "..." / UNLISTEN "..." statements without escaping the double quote character. Because the notifications connection uses PostgreSQL simple query protocol, multi-statement payloads are accepted, which can allow chained SQL statements. The source record ties the issue to postgrex versions from 0.16.0 up to a fixed release, with the description stating before 0.22.2 and the NVD cpeCriteria listing before 0.22.0.

Defensive priority

High

Recommended defensive actions

Upgrade postgrex to the fixed release referenced by the vendor advisory and patch commit.
Audit any code that passes user-controlled or externally influenced values into LISTEN/UNLISTEN channel names.
Treat reconnect/replay paths as part of the attack surface, not just initial subscription calls.
Review database permissions and application assumptions so that subscription-related code cannot execute with unnecessary privileges.
Validate the exact affected version range against the vendor advisory and patch link because the supplied record contains a version-bound discrepancy.

Evidence notes

The CVE description states that the channel argument in listen/3 and unlisten/3 is interpolated directly into LISTEN/UNLISTEN SQL without escaping double quotes, and that handle_connect/1 replays the same pattern after reconnect. The supplied NVD metadata marks the weakness as CWE-89 and gives a CVSS v4.0 score of 7.5 HIGH. The record also contains a version-range inconsistency: the description says affected versions are from 0.16.0 before 0.22.2, while the NVD cpeCriteria lists vulnerable versions ending before 0.22.0. Use the linked vendor advisory and patch commit to confirm remediation scope.

Official resources

CVE-2026-32687 CVE record
CVE.org
CVE-2026-32687 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Vendor Advisory
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Patch
Mitigation or vendor reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db - Third Party Advisory

CVE published 2026-05-12 and last modified 2026-05-21. The supplied enrichment does not list a KEV entry. NVD status in the source item is Analyzed.