On May 14, 2026, PostgreSQL released critical security updates for all supported versions, including 18.4, 17.10, 16.14, 15.18, and 14.23. This coordinated effort addresses 11 Common Vulnerabilities and Exposures (CVEs), which encompass a range of issues such as stack buffer overflows, SQL injection, memory disclosure, and denial-of-service vulnerabilities. Alongside these urgent patches, over 60 additional bug fixes have been bundled into the update.
Security analysts are emphasizing the importance of this upgrade, especially for organizations utilizing logical replication across trust boundaries. In such scenarios, low-privilege users could potentially exploit subscription commands to escalate their privileges, posing significant risks to data integrity and security.
Multiple Critical PostgreSQL Flaws
The most pressing vulnerability, identified as CVE-2026-6637, has a CVSS score of 8.8 and is located within PostgreSQL’s refint contrib module. This flaw allows a remote, unprivileged database user to send specially crafted input that triggers a stack-based buffer overflow, enabling the execution of arbitrary code as the operating system user running the database server. Additionally, a secondary attack vector exists that facilitates SQL injection when an application exposes a user-controlled column as a refint cascade primary key, allowing arbitrary SQL execution with the database user’s privileges during primary key updates.
Another significant flaw, CVE-2026-6473, affects multiple PostgreSQL server features vulnerable to integer wraparound. This vulnerability permits an application input provider to induce undersized memory allocations, leading to out-of-bounds writes, segmentation faults, and potential memory corruption across all versions from 14 to 18.
Furthermore, CVE-2026-6477 mirrors the classic C gets() function flaw. In this case, the PQfn(..., result_is_int=0, ...) function within libpq’s large-object features can store arbitrarily large server-determined data into an unspecified buffer. Since both psql and pg_dump invoke lo_read(), a malicious server superuser could overwrite stack memory in client tools across all supported versions.
Lastly, CVE-2026-6475 introduces a path traversal vulnerability via symlink in pg_basebackup (plain format) and pg_rewind. This flaw allows an origin superuser to overwrite sensitive OS-level files, such as /var/lib/postgres/.bashrc, which could lead to operating system account hijacking during backup or failover operations.
SQL Injection and Authentication Flaws
| CVE | Vector | CVSS | Affected Versions |
|---|---|---|---|
| CVE-2026-6476 | SQL injection via subscription name in pg_createsubscriber → superuser SQL execution | 7.5 | 17–18 |
| CVE-2026-6638 | SQL injection in ALTER SUBSCRIPTION ... REFRESH PUBLICATION via table name |
3.7 | 16–18 |
| CVE-2026-6479 | Uncontrolled SSL/GSS recursion → unauthenticated remote DoS via TCP or Unix socket | 7.5 | 14–18 |
| CVE-2026-6478 | Covert MD5 timing channel → password hash recovery (does not affect scram-sha-256) | 6.5 | 14–18 |
| CVE-2026-6474 | Format string in timeofday() leaks server memory via crafted timezone strings |
4.3 | 14–18 |
| CVE-2026-6472 | Missing auth in CREATE TYPE allows search_path hijacking → arbitrary SQL execution |
5.4 | 14–18 |
| CVE-2026-6575 | Buffer over-read in pg_restore_attribute_stats() leaks memory past array bounds |
4.3 | 18 only |
The MD5 timing channel (CVE-2026-6478) specifically targets legacy deployments that have been upgraded from PostgreSQL 13 or earlier and still retain md5 entries in pg_hba.conf. Notably, the default scram-sha-256 in all supported releases remains unaffected.
Patching and Upgrade Path
To implement these updates, no database dump, reload, or pg_upgrade is necessary; a simple binary swap followed by a service restart suffices. For those in package-managed environments, the upgrade path is straightforward:
- Debian/Ubuntu:
sudo apt update && sudo apt install postgresql-18 - RHEL/Fedora:
sudo dnf update postgresql - macOS (Homebrew):
brew upgrade postgresql@18
For managed cloud databases, minor version patches are typically applied during maintenance windows. Administrators are advised to verify their current minor version in the console and initiate a manual upgrade if they have not yet reached the patched release.
As PostgreSQL 14, now updated to version 14.23, approaches its end-of-life on November 12, 2026, it will cease to receive any further security fixes. Administrators operating version 14 in production environments should view this update as a final opportunity to plan a major version upgrade to PostgreSQL 16 or 17 before the support window closes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.