PostgreSQL The PostgreSQL Database Server

PostgreSQL <18.4,<17.10,<16.14: SQLi via ALTER SUBSCRIPTION REFRESH PUBLICATION
CVE-2026-6638 3.7 - Low - May 14, 2026

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

SQL Injection

PostgreSQL refint stack buffer overflow, <= 18.4
CVE-2026-6637 8.8 - High - May 14, 2026

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Stack Overflow

PostgreSQL 18 Buffer Over-Read in pg_restore_attribute_stats() (18.3)
CVE-2026-6575 4.3 - Medium - May 14, 2026

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

Buffer Over-read

PostgreSQL Recursion CVE-2026-6479: SSL/GSS DoS pre-18.4,17.10,16.14,15.18,14.23
CVE-2026-6479 7.5 - High - May 14, 2026

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Stack Exhaustion

PostgreSQL MD5 Timing Channel CVE-2026-6478 (v<18.4/17.10/16.14/15.18/14.23)
CVE-2026-6478 6.5 - Medium - May 14, 2026

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Covert Timing Channel

PostgreSQL libpq PQfn buffer overflow in lo_* before 18.4, 17.10, 16.14, 15.18
CVE-2026-6477 8.8 - High - May 14, 2026

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Use of Inherently Dangerous Function

PostgreSQL 17.x/18.x SQLi in pg_createsubscriber (17.9/18.3)
CVE-2026-6476 7.2 - High - May 14, 2026

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

SQL Injection

PostgreSQL pg_basebackup/pg_rewind SYMLINK overwrite <=18.4/17.10/16.14/15.18/14.23
CVE-2026-6475 8.8 - High - May 14, 2026

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Symlink following

PostgreSQL <18.4 OOB Integer Wraparound Undersize Allocation
CVE-2026-6473 8.8 - High - May 14, 2026

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Integer Overflow or Wraparound

PostgreSQL 18.4+ Missing Auth in CREATE TYPE (search_path hijack)
CVE-2026-6472 5.4 - Medium - May 14, 2026

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

AuthZ

PostgreSQL Heap Buffer Overflow in pg_trgm (18.1,18.0)
CVE-2026-2007 8.2 - High - February 12, 2026

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

Heap-based Buffer Overflow

PostgreSQL Buffer Overrun via Char Valid. (18.2/17.8/16.12/15.16/14.21)
CVE-2026-2006 8.8 - High - February 12, 2026

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

out-of-bounds array index

Heap Buffer Overflow in PostgreSQL pgcrypto (pre 18.2/17.8/16.12/15.16/14.21) OS Exploit
CVE-2026-2005 8.8 - High - February 12, 2026

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Heap-based Buffer Overflow

PostgreSQL intarray RCE before 18.2/17.8/16.12/15.16/14.21
CVE-2026-2004 8.8 - High - February 12, 2026

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Improper Validation of Specified Type of Input

PostgreSQL <18.2 Improper oidvector Validation Server Memory Disclosure
CVE-2026-2003 4.3 - Medium - February 12, 2026

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Improper Validation of Specified Type of Input

PostgreSQL libpq Int Wraparound OOB Allocation 13-17 Pre-18.1
CVE-2025-12818 5.9 - Medium - November 13, 2025

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

Integer Overflow or Wraparound

PostgreSQL CREATE STATISTICS Auth Bypass Causing DoS 18.1
CVE-2025-12817 3.1 - Low - November 13, 2025

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

AuthZ

PostgreSQL <=16.10 / <=17.6 Optimizer Stats leak VIEW & RLS
CVE-2025-8713 - August 14, 2025

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

PostgreSQL < 17.6: pg_dump Untrusted Data Inclusion Exec Vulnerability
CVE-2025-8714 - August 14, 2025

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

CVE-2025-8715: pg_dump Newline Code Injection (PG <17.6, <16.10, <15.14, <14.19, <13.22)
CVE-2025-8715 - August 14, 2025

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

Plain Text Credentials Stored in Local PostgreSQL Database
CVE-2025-1709 - July 03, 2025

Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded).

PostgreSQL GB18030 Buffer Over-read (before 17.5/16.9/15.13/14.18/13.21)
CVE-2025-4207 - May 08, 2025

Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

PostgreSQL <=17.3 Improper quoting in libpq PQescape* causes SQLi
CVE-2025-1094 - February 13, 2025

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

PostgreSQL Row Security Policy Misapplication Vulnerability
CVE-2024-10976 4.2 - Medium - November 14, 2024

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Improper Preservation of Consistency Between Independent Representations of Shared State

PostgreSQL PL/Perl Environment Variable Control Vulnerability
CVE-2024-10979 8.8 - High - November 14, 2024

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

External Control of System or Configuration Setting

PostgreSQL: Incorrect Privilege Assignment Vulnerability in SET ROLE and SET SESSION AUTHORIZATION
CVE-2024-10978 4.2 - Medium - November 14, 2024

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Incorrect Privilege Assignment

PostgreSQL libpq Client-Side Injection via Server Error Messages
CVE-2024-10977 3.1 - Low - November 14, 2024

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Use of Less Trusted Source

TOCTOU in pg_dump (PostgreSQL <=16.4/15.8/14.13/13.16/12.20) allows arbitrary function exec
CVE-2024-7348 7.5 - High - August 08, 2024

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

TOCTTOU

PostgreSQL 1416: AuthBreach in pg_stats_ext Views vulns 14.12/15.7/16.3
CVE-2024-4317 4.3 - Medium - May 14, 2024

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.

AuthZ

libpq OOB Read Local Info Disclosure (CVE-2024-20038)
CVE-2024-20038 - March 04, 2024

In pq, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08495932; Issue ID: ALPS08495932.

Supabase Dash SQLi via /pg_meta/default/query in PostgreSQL v15.1
CVE-2024-24213 9.8 - Critical - February 08, 2024

Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically, /pg_meta/default/query is for SQL queries that are entered in an intended UI by an authorized user. Nothing is injected.

SQL Injection

PostgreSQL Privilege Escalation in REFRESH MV CONCURRENTLY, before 16.2
CVE-2024-0985 8 - High - February 08, 2024

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

PostgreSQL Array Integer Overflow Allows Authenticated Code Exec
CVE-2023-5869 8.8 - High - December 10, 2023

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Integer Overflow or Wraparound

PostgreSQL pg_cancel_backend Exploit Allowing DoS on Background Worker
CVE-2023-5870 2.2 - Low - December 10, 2023

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

Resource Exhaustion

PostgreSQL Mem Disclosure via Unknown-Type Aggregate Calls
CVE-2023-5868 4.3 - Medium - December 10, 2023

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

Function Call With Incorrect Argument Type

PostgreSQL 12.2 DoS via SIGHUP signal
CVE-2020-21469 4.4 - Medium - August 22, 2023

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).

Classic Buffer Overflow

PostgreSQL Extension Script SQLi via @extowner@ @extschema@
CVE-2023-39417 7.5 - High - August 11, 2023

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

SQL Injection

PostgreSQL MERGE bypasses RLS UPDATE/SELECT checks, allows unauthorized inserts
CVE-2023-39418 3.1 - Low - August 11, 2023

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Insufficient Granularity of Access Control

PostgreSQL schema_element Elevation Vulnerability (CVE-2023-2454)
CVE-2023-2454 7.2 - High - June 09, 2023

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.

PostgreSQL RLS Policy Ignores UID Changes After Inlining
CVE-2023-2455 5.4 - Medium - June 09, 2023

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

PostgreSQL Unauth Kerberos String Under-Read in libpq
CVE-2022-41862 3.7 - Low - March 03, 2023

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

PostgreSQL Privilege Escalation via Post-Operation Incomplete Privilege Checks
CVE-2022-1552 8.8 - High - August 31, 2022

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

SQL Injection

Odyssey: MITM can inject unencrypted results while using SSL cert verification
CVE-2021-43767 5.9 - Medium - August 25, 2022

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

Improper Certificate Validation

Odyssey SSL Bypass Enables MANINTHEMIDDLE SQL Injection
CVE-2021-43766 8.1 - High - August 25, 2022

Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.

Improper Certificate Validation

PostgreSQL Extension CREATE OR REPLACE RCE via Permissions Escalation
CVE-2022-2625 8 - High - August 18, 2022

A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

Prototype Pollution

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker
CVE-2021-23214 8.1 - High - March 04, 2022

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

SQL Injection

A man-in-the-middle attacker
CVE-2021-23222 5.9 - Medium - March 02, 2022

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

Insufficiently Protected Credentials

A flaw was found in postgresql
CVE-2021-3677 6.5 - Medium - March 02, 2022

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

Information Disclosure

A flaw was found in postgresql
CVE-2021-32028 6.5 - Medium - October 11, 2021

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

A flaw was found in postgresql
CVE-2021-32029 6.5 - Medium - October 08, 2021

A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

Out-of-bounds Read