Downgrade Vulnerability in PostgreSQL JDBC Driver by pgjdbc
CVE-2026-54291
What is CVE-2026-54291?
The PostgreSQL JDBC Driver (pgjdbc) versions 42.7.4 to 42.7.11 contain a vulnerability where connections designated to utilize channel binding can be silently downgraded from SCRAM-SHA-256-PLUS to plain SCRAM-SHA-256. This behavior may expose users to man-in-the-middle attacks. An attacker intercepting the TLS connection can exploit this downgrade through a certificate lacking a proper tls-server-end-point channel-binding hash. Notably, the bundled com.ongres.scram:scram-client fails to handle this condition appropriately, returning an empty byte array instead of signaling an error, while the pgJDBC ScramAuthenticator only confirms the presence of the PLUS mechanism without adequately verifying the validity of the channel binding. The issue has been addressed in version 42.7.12.
Affected Version(s)
pgjdbc >= 42.7.4, < 42.7.12
