PostgreSQL pg_basebackup/pg_rewind SYMLINK overwrite <=18.4/17.10/16.14/15.18/14.23
CVE-2026-6475 Published on May 14, 2026
PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Weakness Type
What is a Symlink following Vulnerability?
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
CVE-2026-6475 has been classified to as a Symlink following vulnerability or weakness.
Products Associated with CVE-2026-6475
Want to know whenever a new CVE is published for PostgreSQL? stack.watch will email you.
