PatchSiren cyber security CVE debrief
CVE-2026-41889 jackc CVE debrief
CVE-2026-41889 is a low-severity SQL injection issue in the pgx PostgreSQL driver and toolkit for Go. It affects a narrow set of queries when the non-default simple protocol is used and a dollar-quoted string literal contains text that can be interpreted as a placeholder outside the string literal. If the value associated with that placeholder is attacker-controlled, the resulting query can be manipulated. The issue is fixed in pgx 5.9.2.
- Vendor
- jackc
- Product
- pgx
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-21
Who should care
Organizations using pgx in Go applications, especially code paths that enable the simple protocol and build SQL with dollar-quoted string literals or other placeholder-sensitive query patterns. Security and application teams maintaining database access layers should review affected versions and query construction.
Technical summary
According to the vendor advisory and NVD record, the flaw is a SQL injection condition in pgx prior to 5.9.2. It requires all of the following to line up: the non-default simple protocol is used, the SQL query includes a dollar-quoted string literal, that literal contains text that would be parsed as a placeholder outside a string literal, and the value for that placeholder is controllable by an attacker. NVD maps the weakness to CWE-89 and lists the affected version range as versions before 5.9.2. The published fix is in pgx 5.9.2, with a corresponding patch commit and release notes referenced by the advisory.
Defensive priority
Moderate for exposed applications that use pgx with the simple protocol and dynamically influenced SQL. The CVSS score is low, but SQL injection can still have meaningful impact in the affected code paths, so upgrade planning should not be deferred if the vulnerable pattern is present.
Recommended defensive actions
- Upgrade pgx to version 5.9.2 or later.
- Search code for use of the non-default simple protocol and review any query paths that include dollar-quoted string literals.
- Check whether attacker-influenced values can flow into placeholders in SQL built through the affected pattern.
- Prefer safer query construction patterns and minimize dynamic SQL where possible.
- Validate database-access unit and integration tests against the updated pgx version before deployment.
Evidence notes
All claims are grounded in the supplied CVE description, the NVD record, and the linked GitHub advisory, release notes, and patch commit. The CVE was published on 2026-05-08 and last modified on 2026-05-21. The NVD record identifies the affected range as versions before 5.9.2 and cites CWE-89.
Official resources
-
CVE-2026-41889 CVE record
CVE.org
-
CVE-2026-41889 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
Publicly disclosed on 2026-05-08 via the CVE/NVD record and vendor advisory, with the fix available in pgx 5.9.2.