PostgreSQL <18.4,<17.10,<16.14: SQLi via ALTER SUBSCRIPTION REFRESH PUBLICATION
CVE-2026-6638 Published on May 14, 2026

PostgreSQL REFRESH PUBLICATION allows SQL injection via table name
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

NVD

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-6638 has been classified to as a SQL Injection vulnerability or weakness.

Products Associated with CVE-2026-6638

Want to know whenever a new CVE is published for PostgreSQL? stack.watch will email you.

PostgreSQL

PostgreSQL <18.4,<17.10,<16.14: SQLi via ALTER SUBSCRIPTION REFRESH PUBLICATIONCVE-2026-6638 Published on May 14, 2026

Weakness Type

What is a SQL Injection Vulnerability?

Products Associated with CVE-2026-6638

PostgreSQL <18.4,<17.10,<16.14: SQLi via ALTER SUBSCRIPTION REFRESH PUBLICATION
CVE-2026-6638 Published on May 14, 2026