Downgrade Vulnerability in PostgreSQL JDBC Driver by pgjdbc
CVE-2026-54291

8.2HIGH

Key Information:

Vendor

Pgjdbc

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-54291?

The PostgreSQL JDBC Driver (pgjdbc) versions 42.7.4 to 42.7.11 contain a vulnerability where connections designated to utilize channel binding can be silently downgraded from SCRAM-SHA-256-PLUS to plain SCRAM-SHA-256. This behavior may expose users to man-in-the-middle attacks. An attacker intercepting the TLS connection can exploit this downgrade through a certificate lacking a proper tls-server-end-point channel-binding hash. Notably, the bundled com.ongres.scram:scram-client fails to handle this condition appropriately, returning an empty byte array instead of signaling an error, while the pgJDBC ScramAuthenticator only confirms the presence of the PLUS mechanism without adequately verifying the validity of the channel binding. The issue has been addressed in version 42.7.12.

Affected Version(s)

pgjdbc >= 42.7.4, < 42.7.12

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.