PostgreSQL fixes code execution and SQL injection vulnerabilities in security update

The PostgreSQL Global Development Group has released security updates for all supported PostgreSQL branches, fixing 11 vulnerabilities that include arbitrary code execution, SQL injection, memory disclosure, denial of service, and file overwrite risks.

The new minor releases are PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23. Administrators should treat the update as urgent, especially on multi-tenant databases, internet-facing systems, replication environments, and servers where untrusted users can create database objects.

The update also fixes more than 60 bugs reported over the last several months. PostgreSQL says users do not need dump and restore or pg_upgrade for these minor releases. In most cases, administrators can stop PostgreSQL, update the binaries, and restart the service.

What PostgreSQL fixed in the latest update

The security release covers vulnerabilities across the core server, client libraries, backup tools, authentication, logical replication, and contrib modules.

The most serious issues include CVE-2026-6637 in the refint module and CVE-2026-6473, an integer wraparound issue affecting multiple PostgreSQL server features. Both received CVSS 3.1 scores of 8.8.

Several issues require an authenticated database user or specific privileges. That still matters because many PostgreSQL deployments support multiple application users, developers, reporting users, or tenant roles with different permissions.

CVE	Main issue	Impact	Affected versions
CVE-2026-6472	CREATE TYPE authorization flaw	Arbitrary SQL function execution through search_path hijacking	14 to 18
CVE-2026-6473	Integer wraparound	Out-of-bounds write and possible server crash	14 to 18
CVE-2026-6474	timeofday memory disclosure	Portions of server memory may be exposed	14 to 18
CVE-2026-6475	pg_basebackup and pg_rewind symlink issue	Local file overwrite risk under specific backup workflows	14 to 18
CVE-2026-6476	pg_createsubscriber SQL injection	SQL execution as superuser	17 to 18
CVE-2026-6477	libpq stack memory overwrite	Client-side memory corruption in tools such as psql and pg_dump	14 to 18
CVE-2026-6478	MD5 password timing channel	Credential recovery risk for MD5-hashed passwords	14 to 18
CVE-2026-6479	SSL and GSS recursion flaw	Sustained denial of service	14 to 18
CVE-2026-6575	pg_restore_attribute_stats over-read	Limited memory disclosure	18 only
CVE-2026-6637	refint stack overflow and SQL injection	Arbitrary code execution or SQL injection in specific cases	14 to 18
CVE-2026-6638	REFRESH PUBLICATION SQL injection	SQL execution with publication-side credentials	16 to 18

refint flaw can allow code execution

CVE-2026-6637 affects PostgreSQL’s refint module, which is used for referential integrity behavior. The flaw includes a stack buffer overflow that can allow an unprivileged database user to execute arbitrary code as the operating system account running PostgreSQL.

That makes the issue especially serious on shared database servers. If an attacker already has a low-privileged database account, the flaw can create a path from database-level access to code running under the PostgreSQL server account.

The same CVE also includes a separate SQL injection scenario. If an application exposes a user-controlled column as a refint cascade primary key and allows updates to that column, a crafted update can execute arbitrary SQL with the privileges of the database role performing the update.

Integer wraparound bug affects all supported branches

CVE-2026-6473 affects PostgreSQL 14 through 18 before the newly released fixed versions. The issue involves integer wraparound in multiple server features.

When triggered, PostgreSQL can undersize memory allocations and then write out of bounds. The official advisory describes a segmentation fault impact, while NVD also notes that arbitrary code execution may be possible in some conditions.

This bug matters most where applications pass very large or attacker-controlled inputs into affected database functions. Administrators should prioritize any system that accepts complex user-generated SQL, large text processing workloads, or untrusted database input.

Logical replication has SQL injection risks

Two vulnerabilities affect logical replication features. CVE-2026-6476 affects pg_createsubscriber in PostgreSQL 17 and 18. An attacker with pg_create_subscription rights can inject SQL that runs as a superuser when pg_createsubscriber next runs.

CVE-2026-6638 affects ALTER SUBSCRIPTION … REFRESH PUBLICATION in PostgreSQL 16 through 18. A subscriber table creator can craft a table name that causes arbitrary SQL to execute with the subscription’s publication-side credentials during the next refresh.

These issues are especially relevant for teams using logical replication across environments, tenants, or trust boundaries. Replication roles should not be treated as low-risk permissions.

Replication issue	Affected branches	Required condition	Result
CVE-2026-6476	17 and 18	Attacker has pg_create_subscription rights	SQL injection as superuser when pg_createsubscriber runs
CVE-2026-6638	16, 17, and 18	Attacker can create a subscriber table with a crafted name	SQL execution with publication-side credentials during REFRESH PUBLICATION

Client tools and backup workflows also need attention

CVE-2026-6477 affects libpq large object helper functions. A malicious or compromised server superuser can send oversized responses that overwrite stack memory in client tools such as psql and pg_dump.

This is a client-side risk. It matters when administrators or automation connect trusted tools to an untrusted, compromised, or attacker-controlled PostgreSQL server.

CVE-2026-6475 affects pg_basebackup in plain format and pg_rewind. The flaw allows symlink following that can overwrite unrelated local files chosen by the origin superuser. PostgreSQL notes that the practical risk depends on what administrators do between the backup or rewind operation and the next server start.

MD5 authentication and denial-of-service issues

CVE-2026-6478 involves a timing channel in comparison of MD5-hashed passwords. The issue can let an attacker recover credentials sufficient to authenticate.

The advisory notes that scram-sha-256 passwords are not affected. That is important because SCRAM is the default in supported PostgreSQL releases, but older upgraded databases may still contain MD5-hashed passwords from PostgreSQL 13 or earlier.

CVE-2026-6479 affects SSL and GSS negotiation and can lead to sustained denial of service. The exact exposure depends on connection paths and whether SSL and GSS are enabled or disabled.

Fixed PostgreSQL versions

Administrators should upgrade to the fixed minor release for their branch. Running a newer major version does not automatically remove the risk unless the correct minor release is installed.

Major branch	Fixed version	Recommended action
PostgreSQL 18	18.4	Upgrade to 18.4 or later
PostgreSQL 17	17.10	Upgrade to 17.10 or later
PostgreSQL 16	16.14	Upgrade to 16.14 or later
PostgreSQL 15	15.18	Upgrade to 15.18 or later
PostgreSQL 14	14.23	Upgrade now and plan migration before end of life

PostgreSQL 14 users should plan a migration

PostgreSQL 14 receives these security fixes through version 14.23, but it is nearing the end of its support life.

The PostgreSQL project says PostgreSQL 14 will stop receiving fixes on November 12, 2026. Organizations still running PostgreSQL 14 in production should apply 14.23 now and begin planning an upgrade to a newer supported branch.

That planning matters because end-of-life databases can become a long-term security risk. Once support ends, future PostgreSQL security releases will not include fixes for that branch.

How administrators should respond

The first step is to identify every PostgreSQL server, client tool host, backup server, replication host, container image, and managed database environment that uses an affected version.

Administrators should then apply the correct minor update, restart PostgreSQL, and confirm the running version. They should also update client utilities such as psql, pg_dump, pg_basebackup, and pg_rewind where those tools run outside the database server.

Teams should pay special attention to environments that use refint, logical replication, MD5 authentication, plain-format base backups, or shared database access for multiple users or tenants.

1. Inventory PostgreSQL servers and client tools across production, staging, and backup systems.
2. Upgrade to 18.4, 17.10, 16.14, 15.18, or 14.23.
3. Restart PostgreSQL and verify the active running version.
4. Update psql, pg_dump, pg_basebackup, and pg_rewind on administrator workstations and automation hosts.
5. Review use of refint and remove it where it is no longer needed.
6. Audit roles with pg_create_subscription and logical replication privileges.
7. Move remaining MD5 password users to SCRAM authentication.
8. Review backup and rewind workflows for symlink and origin-superuser trust risks.

Why this update matters for production databases

PostgreSQL is often part of critical infrastructure for applications, analytics systems, authentication platforms, financial services, and internal business tools.

A database vulnerability can have effects beyond the database itself. A successful attack can expose application data, compromise credentials, disrupt services, or give attackers code execution as the PostgreSQL operating system user.

Because this release fixes several different classes of bugs at once, administrators should treat it as a broad hardening update rather than a routine maintenance release.

FAQ