CVE-2026-6638
PostgreSQL 취약성 분석 및 완화

개요

CVE-2026-6638 is a SQL injection vulnerability in PostgreSQL's logical replication mechanism, specifically in the ALTER SUBSCRIPTION ... REFRESH PUBLICATION command. It allows a subscriber table creator to execute arbitrary SQL using the subscription's publication-side credentials, with the attack taking effect at the next REFRESH PUBLICATION operation. Affected versions include PostgreSQL 16.0–16.13, 17.0–17.9, and 18.0–18.3; versions before PostgreSQL 16 are unaffected. The vulnerability was published on May 14, 2026. CVSS v3.1 scores differ by source: NVD assigns 8.8 (High) while the GitHub Advisory Database and ENISA assign 3.7 (Low), reflecting different assessments of attack complexity and user interaction requirements (GitHub Advisory, PostgreSQL Security).

기술적 세부 사항

The root cause is improper neutralization of special elements in an SQL command (CWE-89), where PostgreSQL fails to adequately sanitize table names or related identifiers when processing ALTER SUBSCRIPTION ... REFRESH PUBLICATION. An attacker who has permission to create tables on the subscriber side can craft a malicious table name containing SQL injection payloads, which are then executed with the credentials of the publication-side database connection when the subscription refresh is triggered. The attack requires low privileges (table creation rights on the subscriber) and is network-accessible, but exploitation depends on the timing of the next REFRESH PUBLICATION event. A patch commit is available in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).

영향

Successful exploitation allows an attacker with subscriber table creation privileges to execute arbitrary SQL commands with the publication-side database credentials, potentially compromising the publication database's confidentiality, integrity, and availability. This could enable unauthorized data access, data manipulation, or privilege escalation on the publication server. The cross-database nature of the attack — where subscriber-side actions affect the publication-side system — increases the risk of lateral movement between database instances in a logical replication topology (GitHub Advisory, PostgreSQL Security).

착취 단계

  1. Identify target: Locate a PostgreSQL 16.x, 17.x, or 18.x instance (before 16.14, 17.10, or 18.4 respectively) that uses logical replication with an ALTER SUBSCRIPTION setup.
  2. Obtain subscriber table creation rights: Gain or already possess low-privilege access to the subscriber database with permission to create tables.
  3. Craft malicious table name: Create a table on the subscriber side with a name containing SQL injection payload characters (e.g., special characters or SQL syntax that will be interpreted when processed by the replication refresh logic).
  4. Trigger REFRESH PUBLICATION: Execute or wait for ALTER SUBSCRIPTION ... REFRESH PUBLICATION to be called, which causes PostgreSQL to process the malicious table name with publication-side credentials.
  5. Achieve arbitrary SQL execution: The injected SQL payload executes on the publication-side database with the subscription's publication credentials, potentially enabling data exfiltration, privilege escalation, or further compromise (PostgreSQL Security, GitHub Advisory).

타협의 징후

  • Logs: PostgreSQL server logs on the publication side showing unexpected SQL statements or errors originating from logical replication refresh operations; unusual queries executed under the replication user's credentials.
  • Database Activity: Unexpected DDL or DML operations on the publication database triggered during REFRESH PUBLICATION events; anomalous activity in pg_stat_activity associated with the replication connection.
  • Network: Unusual outbound connections from the publication-side PostgreSQL server following a subscription refresh, potentially indicating data exfiltration or reverse shell attempts.
  • Replication Metadata: Subscriber tables with unusual or specially crafted names visible in pg_subscription_rel or related system catalogs on the subscriber database.

완화 및 해결 방법

Upgrade PostgreSQL to the patched versions: 16.14, 17.10, or 18.4 or later, which address this vulnerability (PostgreSQL Release). As a workaround, restrict ALTER SUBSCRIPTION and table creation permissions to only fully trusted database users. Monitor logical replication activities and audit REFRESH PUBLICATION operations for anomalous behavior. Implement network segmentation to limit access to database replication infrastructure. Distribution-specific patches are available for Debian, Ubuntu, SUSE, openSUSE, and Amazon Linux 2023 (SUSE Advisory, Amazon Linux).

커뮤니티 반응

The PostgreSQL project released fixes as part of a broader security update addressing 11 CVEs across versions 14 through 18, with version 14 reaching end-of-life in this release cycle (SecurityOnline). Security blogs and news outlets including CyberPress, GBHackers, and CyberSecurityNews covered the release, highlighting the SQL injection and code execution risks (CyberPress, GBHackers). The PostgreSQL community blog noted the release of eleven CVEs in a single update cycle (TheBuild Blog). The oss-security mailing list also carried disclosure details (oss-sec).

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 PostgreSQL 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-6638HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql:16::postgresql-private-devel
아니요May 14, 2026
CVE-2026-6637HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql17-pltcl
아니요May 14, 2026
CVE-2026-6479HIGH7.5
  • PostgreSQL logoPostgreSQL
  • postgresql14-pltcl
아니요May 14, 2026
CVE-2026-6478MEDIUM6.5
  • PostgreSQL logoPostgreSQL
  • postgresql16
아니요May 14, 2026
CVE-2026-6575MEDIUM4.3
  • PostgreSQL logoPostgreSQL
  • postgresql18-server-devel-debuginfo
아니요May 14, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자