Denial of Service Vulnerability in PostgreSQL JDBC Driver
CVE-2026-42198

7.5HIGH

Key Information:

Vendor: Pgjdbc
Status: Pgjdbc
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-42198?

The PostgreSQL JDBC Driver (pgjdbc) is susceptible to a denial of service attack during SCRAM-SHA-256 authentication. This vulnerability exists in pgjdbc versions from 42.2.0 to prior to 42.7.11, where a malicious server could trigger an excessive iteration count during SCRAM authentication. This leads to an unbounded CPU consumption on the client side while processing PBKDF2, which can effectively lock the CPU core. Even with a login timeout implemented, the worker thread handling the connection may still consume CPU time beyond the timeout, potentially exhausting client resources or wedging connection pools. The issue has been resolved in version 42.7.11.

Affected Version(s)

pgjdbc >= 42.2.0, < 42.7.11

References

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/pgjdbc/pgjdbc/releases/tag/REL42.7.11

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42198 Data

JSON

Pgjdbc

What is CVE-2026-42198?

Affected Version(s)

References

CVSS V3.1

Timeline