CVE-2026-6476

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 17.0 through 17.9 PostgreSQL versions 18.0 through 18.3

Description SQL injection in the pg createsubscriber function allows an attacker with pg create subscription rights to execute arbitrary SQL commands with superuser privileges. The attack is triggered when pg createsubscriber is subsequently executed.

Recommendations Update PostgreSQL version 17 to 17.10. Update PostgreSQL version 18 to 18.4.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2026-07099

BIT-POSTGRESQL-2026-6476

CVE-2026-6476

ECHO-B729-AA9A-E866

OPENSUSE-SU-2026:10809-1

OPENSUSE-SU-2026:10828-1

USN-8294-1

Affected Products

Linuxmint

Postgresql

Ubuntu

CVE-2026-6476

Weakness Enumeration

Related Identifiers

Affected Products

References · 45