SQL Injection Vulnerability in Elixir Postgrex Notifications by Elixir
CVE-2026-32687

7.5HIGH

Key Information:

Vendor: Elixir-ecto
Status: Postgrex
Vendor: CVE Published:; 12 May 2026

🔔 Create Elixir-ecto Vulnerability Alert

What is CVE-2026-32687?

The vulnerability in Elixir's Postgrex Notifications module arises from improper handling of user-supplied channel names, allowing attackers to inject malicious SQL commands. When the channel argument is directly interpolated into LISTEN and UNLISTEN SQL statements, it creates an opportunity for SQL Injection. This flaw enables an attacker to execute arbitrary SQL statements, which can include destructive actions like dropping tables. Additionally, a similar issue occurs during the reconnection process where LISTEN commands are replayed, further amplifying the potential risk.

Affected Version(s)

postgrex 0.16.0 < 0.22.2

postgrex 266b530faf9bde094e31e0e4ab851f933fadc0f5 < 7cdedbd4316bb65f82e6a9a4f922c0ac491cb770

References

https://github.com/elixir-ecto/ecto/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-32687.html

https://osv.dev/vulnerability/EEF-CVE-2026-32687

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Peter Ullrich

CVE-2026-32687 Data

JSON