PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58225 elixir-ecto CVE debrief

CVE-2026-58225 is a SQL Injection vulnerability in elixir-ecto postgrex. An attacker who can influence a LISTEN channel name can inject SQL into the reconnect replay query, causing a denial of service of the notification connection. The vulnerability affects postgrex versions from 0.16.0 before 0.22.3. This issue has a significant impact on applications that pass untrusted input as a channel name to Postgrex.Notifications.listen/3, potentially leading to a denial of service for all tenants sharing the same notification connection.

Vendor
elixir-ecto
Product
postgrex
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Developers and administrators using elixir-ecto postgrex versions from 0.16.0 before 0.22.3 should be aware of this vulnerability and take necessary actions to mitigate it. This includes validating and sanitizing user input for LISTEN channel names and implementing compensating controls to detect and prevent SQL injection attacks.

Technical summary

The vulnerability exists in the Postgrex.Notifications module, where the quote_channel/1 function does not escape the $$ dollar-quote delimiter. This allows an attacker to inject SQL into the reconnect replay query, causing a denial of service of the notification connection. The vulnerability can be exploited by passing untrusted input as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants.

Defensive priority

Medium

Recommended defensive actions

  • Update postgrex to version 0.22.3 or later
  • Validate and sanitize user input for LISTEN channel names
  • Implement compensating controls to detect and prevent SQL injection attacks
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The vulnerability was reported by an unknown source and is described in the CVE record. The NVD entry is currently Received. Further verification is needed to confirm affected scope and severity. Defenders should review the official advisory and CVE record for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T11:16:36.300Z and has not been modified since then. The NVD entry is currently Received.