Postgresql Global Development Group · Postgresql · CVE-2026-6472
**Name of the Vulnerable Software and Affected Versions**
PostgreSQL versions prior to 18.4
PostgreSQL versions prior to 17.10
PostgreSQL versions prior to 16.14
PostgreSQL versions prior to 15.18
PostgreSQL versions prior to 14.23
**Description**
Missing authorization in the `CREATE TYPE` command allows an object creator to hijack queries that utilize the `search path` to locate user-defined types, including those defined by extensions. This can lead to the victim executing arbitrary SQL functions chosen by the attacker.
**Recommendations**
Update to version 18.4 or later.
Update to version 17.10 or later.
Update to version 16.14 or later.
Update to version 15.18 or later.
Update to version 14.23 or later.