PostgreSQL Missing Authorization Vulnerability in User-Defined Types
CVE-2026-6472

5.4MEDIUM

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6472?

In PostgreSQL, a missing authorization flaw in the CREATE TYPE function allows an object creator to exploit a vulnerability by hijacking execution of arbitrary SQL functions in other queries that utilize the search_path setting. This can lead to unauthorized actions performed by the victim, potentially compromising database security. Users of PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23 are advised to upgrade immediately to mitigate this risk.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6472/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2026-6472 Data

JSON