PatchSiren cyber security CVE debrief
CVE-2026-6638 PostgreSQL CVE debrief
A SQL injection vulnerability in PostgreSQL's logical replication feature allows a malicious subscriber table creator to execute arbitrary SQL with the publication-side credentials. The attack vector involves the ALTER SUBSCRIPTION ... REFRESH PUBLICATION command, which triggers the injection at the next REFRESH PUBLICATION execution. This vulnerability affects PostgreSQL versions 16.0 through 16.13, 17.0 through 17.9, and 18.0 through 18.3. Versions prior to 16.0 are unaffected. The CVSS 3.1 score of 3.7 reflects the attack complexity requirements: network access is needed, but the attack requires high complexity, low privileges, and user interaction. The vulnerability was published on 2026-05-14 and last modified on 2026-05-18. No known exploitation in ransomware campaigns has been reported.
- Vendor
- PostgreSQL
- Product
- PostgreSQL
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Database administrators managing PostgreSQL logical replication environments, security teams responsible for database infrastructure, and organizations using PostgreSQL 16, 17, or 18 for distributed data replication should prioritize patching. The vulnerability poses particular risk to environments where subscriber databases have less restricted user privileges or where replication configurations are managed by multiple administrative entities.
Technical summary
CVE-2026-6638 is a SQL injection vulnerability in PostgreSQL's logical replication subsystem. The flaw exists in the handling of ALTER SUBSCRIPTION ... REFRESH PUBLICATION commands. A subscriber-side attacker with table creation privileges can craft malicious table definitions that inject SQL commands. When REFRESH PUBLICATION is executed, these commands run with the publication-side credentials, potentially allowing unauthorized data access or modification on the publisher database. The vulnerability requires specific preconditions: the attacker must have CREATE TABLE privileges on the subscriber, and the attack only takes effect upon the next REFRESH PUBLICATION execution. The attack complexity is rated as high due to these requirements. The vulnerability is classified as CWE-89 (SQL Injection) and has been addressed in maintenance releases for supported PostgreSQL versions.
Defensive priority
medium
Recommended defensive actions
- Upgrade PostgreSQL to patched versions: 16.14, 17.10, or 18.4 or later
- Audit subscription configurations for unauthorized ALTER SUBSCRIPTION operations
- Review database user privileges to ensure least-privilege access for table creation
- Monitor for suspicious REFRESH PUBLICATION commands in logical replication environments
- Apply vendor security advisory guidance for additional hardening recommendations
Evidence notes
Vulnerability affects PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION. Attack requires subscriber table creation privileges and triggers on next REFRESH PUBLICATION. Affected versions: 16.0-16.13, 17.0-17.9, 18.0-18.3. Fixed in 16.14, 17.10, 18.4.
Official resources
-
CVE-2026-6638 CVE record
CVE.org
-
CVE-2026-6638 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Patch, Vendor Advisory
2026-05-14