SQL Injection Vulnerability in PostgreSQL pg_createsubscriber
CVE-2026-6476

7.2HIGH

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6476?

A SQL injection vulnerability exists in the pg_createsubscriber function of PostgreSQL, allowing an attacker holding pg_create_subscription privileges to execute arbitrary SQL commands with superuser rights. This vulnerability is triggered when the pg_createsubscriber function is invoked, potentially compromising the security and integrity of the database. Affected versions include PostgreSQL 17 (up to 17.9) and 18 (up to 18.3), while earlier versions are not impacted.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

References

https://www.postgresql.org/support/security/CVE-2026-6476/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

CVE-2026-6476 Data

JSON