CVE-2026-6638

NameCVE-2026-6638
DescriptionSQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6270-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postgresql-17 (PTS)trixie17.9-0+deb13u1vulnerable
trixie (security)17.10-0+deb13u1fixed
postgresql-18 (PTS)forky18.3-1vulnerable
sid18.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-17sourcetrixie17.10-0+deb13u1DSA-6270-1
postgresql-17source(unstable)(unfixed)
postgresql-18source(unstable)18.4-1

Notes

https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/
Search for package or bug name: Reporting problems