
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-6638 is a SQL injection vulnerability in PostgreSQL's logical replication mechanism, specifically in the ALTER SUBSCRIPTION ... REFRESH PUBLICATION command. It allows a subscriber table creator to execute arbitrary SQL using the subscription's publication-side credentials, with the attack taking effect at the next REFRESH PUBLICATION operation. Affected versions include PostgreSQL 16.0–16.13, 17.0–17.9, and 18.0–18.3; versions before PostgreSQL 16 are unaffected. The vulnerability was published on May 14, 2026. CVSS v3.1 scores differ by source: NVD assigns 8.8 (High) while the GitHub Advisory Database and ENISA assign 3.7 (Low), reflecting different assessments of attack complexity and user interaction requirements (GitHub Advisory, PostgreSQL Security).
The root cause is improper neutralization of special elements in an SQL command (CWE-89), where PostgreSQL fails to adequately sanitize table names or related identifiers when processing ALTER SUBSCRIPTION ... REFRESH PUBLICATION. An attacker who has permission to create tables on the subscriber side can craft a malicious table name containing SQL injection payloads, which are then executed with the credentials of the publication-side database connection when the subscription refresh is triggered. The attack requires low privileges (table creation rights on the subscriber) and is network-accessible, but exploitation depends on the timing of the next REFRESH PUBLICATION event. A patch commit is available in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).
Successful exploitation allows an attacker with subscriber table creation privileges to execute arbitrary SQL commands with the publication-side database credentials, potentially compromising the publication database's confidentiality, integrity, and availability. This could enable unauthorized data access, data manipulation, or privilege escalation on the publication server. The cross-database nature of the attack — where subscriber-side actions affect the publication-side system — increases the risk of lateral movement between database instances in a logical replication topology (GitHub Advisory, PostgreSQL Security).
ALTER SUBSCRIPTION setup.ALTER SUBSCRIPTION ... REFRESH PUBLICATION to be called, which causes PostgreSQL to process the malicious table name with publication-side credentials.REFRESH PUBLICATION events; anomalous activity in pg_stat_activity associated with the replication connection.pg_subscription_rel or related system catalogs on the subscriber database.Upgrade PostgreSQL to the patched versions: 16.14, 17.10, or 18.4 or later, which address this vulnerability (PostgreSQL Release). As a workaround, restrict ALTER SUBSCRIPTION and table creation permissions to only fully trusted database users. Monitor logical replication activities and audit REFRESH PUBLICATION operations for anomalous behavior. Implement network segmentation to limit access to database replication infrastructure. Distribution-specific patches are available for Debian, Ubuntu, SUSE, openSUSE, and Amazon Linux 2023 (SUSE Advisory, Amazon Linux).
The PostgreSQL project released fixes as part of a broader security update addressing 11 CVEs across versions 14 through 18, with version 14 reaching end-of-life in this release cycle (SecurityOnline). Security blogs and news outlets including CyberPress, GBHackers, and CyberSecurityNews covered the release, highlighting the SQL injection and code execution risks (CyberPress, GBHackers). The PostgreSQL community blog noted the release of eleven CVEs in a single update cycle (TheBuild Blog). The oss-security mailing list also carried disclosure details (oss-sec).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"