PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6472 PostgreSQL CVE debrief

A missing authorization vulnerability in PostgreSQL's CREATE TYPE implementation allows an authenticated attacker with object creation privileges to hijack queries that rely on search_path resolution for user-defined types. When a victim query executes, it may inadvertently invoke attacker-controlled SQL functions instead of intended extension-defined or legitimate user-defined types. This represents a privilege escalation path where a lower-privileged database user can influence execution of queries run by other users or applications. The attack requires the victim's session to use a search_path that includes a schema where the attacker has created a malicious type with a name matching an expected type. The vulnerability affects PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23. The CVSS 3.1 score of 5.4 (Medium) reflects network attack vector, low attack complexity, low privileges required, and no user interaction needed, with limited confidentiality and integrity impact. The weakness is categorized as CWE-862 (Missing Authorization). No known exploitation in ransomware campaigns has been documented.

Vendor
PostgreSQL
Product
PostgreSQL
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

Database administrators managing multi-tenant PostgreSQL environments, security teams overseeing database access controls, application developers using PostgreSQL extensions with user-defined types, and organizations with shared database infrastructure where multiple users have object creation privileges

Technical summary

The vulnerability stems from insufficient authorization checks during type resolution when PostgreSQL processes CREATE TYPE statements. An attacker with CREATE privilege in any schema can define a type whose name collides with types used by other queries. When a victim session's search_path includes the attacker's schema before the legitimate type's schema, PostgreSQL resolves the attacker's type first. If this malicious type is defined with conversion functions or operators that invoke attacker-controlled code, the victim query executes arbitrary SQL functions. This is particularly dangerous for extension-defined types where applications expect specific behavior. The attack does not require superuser privileges—only the ability to create objects in at least one schema that appears early in target users' search paths. The fix in patched versions adds authorization checks to prevent type hijacking through search_path manipulation.

Defensive priority

medium

Recommended defensive actions

  • Upgrade PostgreSQL to patched versions: 18.4 or later, 17.10 or later, 16.14 or later, 15.18 or later, or 14.23 or later
  • Review database user privileges and restrict CREATE privileges to trusted administrative accounts only
  • Audit existing user-defined types and extensions for unexpected objects in shared schemas
  • Consider implementing schema search_path restrictions at the application or connection level to reduce exposure
  • Monitor query logs for unexpected function invocations or type resolution anomalies
  • Apply principle of least privilege for database roles, ensuring users have minimal necessary object creation permissions

Evidence notes

Vulnerability description and affected version ranges derived from NVD CPE criteria and vendor advisory. CVSS vector and score from official NVD record. CWE classification from NVD weakness data. Timeline dates from CVE published and modified timestamps.

Official resources

2026-05-14