PostgreSQL has unveiled a series of critical security updates designed to address a range of high-impact vulnerabilities that could potentially lead to remote code execution (RCE), SQL injection attacks, and denial-of-service (DoS) incidents within widely utilized database environments.
The PostgreSQL Global Development Group has rolled out versions 18.4, 17.10, 16.14, 15.18, and 14.23, effectively patching 11 security flaws alongside more than 60 bugs. These vulnerabilities span PostgreSQL versions 14 through 18, representing significant risks for enterprise systems that depend on database-driven applications, particularly when user input or replication features are exposed.
Among the vulnerabilities addressed, several allow attackers to execute arbitrary SQL commands or, under specific conditions, achieve code execution. This release is marked by a prevalence of memory corruption, privilege escalation, and injection vulnerabilities, underscoring the urgency for immediate patching.
For instance, a flaw within the refint module could permit an unprivileged user to instigate a stack buffer overflow, potentially leading to remote code execution on the host system. Additionally, SQL injection vulnerabilities found in replication features could enable attackers to execute unauthorized queries with elevated privileges.
PostgreSQL Flaws (CVE List)
- CVE-2026-6472 (CVSS 5.4): Missing authorization in CREATE TYPE allows attackers to hijack queries via search_path and execute arbitrary SQL functions.
- CVE-2026-6473 (CVSS 8.8): Integer wraparound leads to out-of-bounds writes and server crashes (potential memory corruption vector).
- CVE-2026-6474 (CVSS 4.3): Format string issue in timeofday() leaks portions of server memory.
- CVE-2026-6475 (CVSS 8.8): A symlink attack in pg_basebackup and pg_rewind allows overwriting arbitrary files.
- CVE-2026-6476 (CVSS 7.2): SQL injection in pg_createsubscriber allows execution of arbitrary SQL as superuser.
- CVE-2026-6477 (CVSS 8.8): libpq lo_* functions allow the server to overwrite client memory buffers.
- CVE-2026-6478 (CVSS 6.5): Timing attack exposes MD5-hashed passwords during authentication.
- CVE-2026-6479 (CVSS 7.5): SSL/GSS recursion flaw allows denial-of-service via socket connections.
- CVE-2026-6575 (CVSS 4.3): Buffer over-read in pg_restore_attribute_stats leaks memory data (PostgreSQL 18 only).
- CVE-2026-6637 (CVSS 8.8): The refint module enables stack overflow and SQL injection, leading to possible RCE.
- CVE-2026-6638 (CVSS 3.7): SQL injection in REFRESH PUBLICATION via table names in logical replication.
Affected Versions
- PostgreSQL 14 through 18 are impacted.
- Specific fixes are included in:
- 18.4
- 17.10
- 16.14
- 15.18
- 14.23
Older minor versions prior to these releases remain vulnerable. In addition to the security patches, the update addresses over 60 bugs that affect query correctness, replication reliability, backup handling, and performance optimization. Enhancements include improved partition pruning, corrections to foreign key behavior, and refined replication process management.
The release also updates timezone data to tzdata 2026b, accommodating regional time changes, such as British Columbia’s adoption of permanent daylight saving time starting in November 2026.
Mitigation and Recommendations
Organizations utilizing PostgreSQL are urged to take immediate action:
- Upgrade to the latest patched versions (18.4, 17.10, 16.14, 15.18, 14.23).
- Avoid using MD5 password authentication; switch to SCRAM-SHA-256.
- Restrict privileges for replication and subscription-related roles.
- Audit the use of extensions such as refint and replication features.
- Monitor for abnormal queries or crashes indicating exploitation attempts.
PostgreSQL 14 is set to reach its end-of-life on November 12, 2026, after which it will no longer receive security updates, thereby increasing exposure to future vulnerabilities. Users are strongly encouraged to migrate to newer supported versions.
This release underscores the growing complexity of database attack surfaces, particularly in features like logical replication and client libraries. Timely patching and secure configuration are essential to safeguarding against the evolving threats targeting database infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
