Symlink Following Vulnerability in PostgreSQL by PostgreSQL Inc.
CVE-2026-6475

8.8HIGH

Key Information:

Vendor: PostgreSQL Inc.
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

🔔 Create PostgreSQL Inc. Vulnerability Alert

What is CVE-2026-6475?

A symlink following vulnerability exists in PostgreSQL's pg_basebackup and pg_rewind functionalities. This flaw permits an originating superuser to overwrite critical local files, such as /var/lib/postgres/.bashrc, jeopardizing operating system security. The vulnerability can lead to unauthorized access and system manipulation when the affected configurations are not properly managed. If a superuser executes specific commands before the PostgreSQL server starts, it creates a trust relationship that may be exploited. Mitigating this risk requires awareness of the configurations and careful management of server startup procedures. Versions of PostgreSQL prior to 18.4, 17.10, 16.14, 15.18, and 14.23 are susceptible to this issue.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6475/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

CVE-2026-6475 Data

JSON