PT-2026-54841 · Pgjdbc · Pgjdbc

Keijot

·

Published

2026-07-02

·

Updated

2026-07-06

·

CVE-2026-54291

CVSS v4.0

8.2

High

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions pgjdbc versions 42.7.4 through 42.7.11
Description Connections using channelBinding=require can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256. This results in the loss of man-in-the-middle protection. An attacker capable of intercepting the TLS connection can trigger this downgrade using a certificate with a signature algorithm that lacks a tls-server-end-point channel-binding hash. This occurs because the com.ongres.scram:scram-client returns an empty byte array instead of failing, and the ScramAuthenticator() function only verifies that the server advertised a PLUS mechanism without rejecting the empty binding or ensuring the negotiated mechanism utilizes channel binding.
Recommendations Update pgjdbc to version 42.7.12.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54291

Affected Products

Pgjdbc