Uncontrolled Recursion in PostgreSQL Affecting SSL and GSS Negotiation
CVE-2026-6479

7.5HIGH

Key Information:

Vendor: PostgreSQL Global Development Group
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

🔔 Create PostgreSQL Global Development Group Vulnerability Alert

What is CVE-2026-6479?

This vulnerability in PostgreSQL allows an attacker to exploit uncontrolled recursion during SSL and GSS negotiation, potentially resulting in a sustained denial of service. If SSL and GSS are disabled, an attacker may still exploit access through a TCP socket. Affected versions include PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23, making it critical for administrators to apply timely updates to protect against this risk.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6479/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

CVE-2026-6479 Data

JSON