SQL Injection Vulnerability in Postgrex Affected by Elixir Ecto
CVE-2026-58225
2.1LOW
What is CVE-2026-58225?
An SQL Injection vulnerability exists in Postgrex through Elixir's Ecto, allowing attackers to manipulate LISTEN channel names. This exploitation can lead to a denial of service, as malformed channel names cause the notification connection to break. While it does not permit arbitrary SQL execution, the flaw disrupts the notification system's ability to maintain subscriptions, resulting in silent data loss. Applications utilizing untrusted input for channel names are particularly vulnerable, impacting shared notification connections across multiple tenants.
Affected Version(s)
postgrex 0.16.0 < 0.22.3
postgrex 266b530faf9bde094e31e0e4ab851f933fadc0f5 < 795c6062f62c4394272ff4b89170688857b4f841
References
CVSS V4
Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Peter Ullrich
José Valim
Jonatan Männchen / EEF
