SQL Injection Vulnerability in PostgreSQL Logical Replication by PostgreSQL
CVE-2026-6638

3.7LOW

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6638?

A vulnerability in PostgreSQL allows for SQL injection through logical replication via the ALTER SUBSCRIPTION command. Specifically, an attacker could exploit this flaw to execute arbitrary SQL commands with the privileges of the subscription's publication-side credentials, potentially leading to unauthorized access or data manipulation. This could occur upon the next REFRESH PUBLICATION operation. Affected versions include PostgreSQL 16 (up to 16.13), 17 (up to 17.9), and 18 (up to 18.3), while earlier versions are not affected.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6638/

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 19, 2026

Credit

The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.

CVE-2026-6638 Data

JSON