CVE-2026-32687

Name of the Vulnerable Software and Affected Versions postgrex versions 0.16.0 through 0.22.1

Description An SQL Injection issue exists in the Elixir.Postgrex.Notifications module. The channel argument passed to the functions listen/3() and unlisten/3() is interpolated directly into SQL statements without escaping the double quote character. This allows an attacker who can influence the channel name to break out of the quoted identifier and append arbitrary SQL. Since the notifications connection utilizes the PostgreSQL simple query protocol, multi-statement payloads are accepted, enabling the chaining of Data Definition Language (DDL) and Data Manipulation Language (DML) commands. This unsanitized interpolation also occurs in the handle connect/1() function during the replay of commands after a reconnection.

Recommendations Update to version 0.22.2.