The PostgreSQL Global Development Group has rolled out essential security updates across all supported branches, addressing a total of 11 vulnerabilities. Among these are critical issues related to arbitrary code execution and multiple SQL injection flaws. The newly released versions—PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23—serve as both security and maintenance updates, marking a significant step for production databases.
These minor versions not only tackle the identified CVEs but also rectify over 60 bugs reported in recent months, underscoring the urgency of this release. It is important to note that all supported branches from 14 through 18 are impacted by at least some vulnerabilities, indicating that merely upgrading to a newer major version does not eliminate potential risks.
Database administrators can perform in-place upgrades by halting PostgreSQL and updating the binaries; there is no need for a dump/restore or pg_upgrade for these minor updates.
PostgreSQL Vulnerabilities
Code Execution via refint Module
Among the vulnerabilities, CVE‑2026‑6637 stands out as particularly severe, residing within the refint module responsible for enforcing referential integrity. This stack buffer overflow vulnerability enables an unprivileged database user to execute arbitrary code under the operating system account that runs PostgreSQL, potentially leading to a complete server compromise from a database-level foothold.
A separate attack vector emerges when an application exposes a user-controlled column as a refint-cascade primary key, permitting users to update it. In such instances, a crafted primary key update can instigate SQL injection, allowing the attacker to execute arbitrary SQL with the database privileges of the updating role.
| Vulnerability | Impact |
|---|---|
| CVE-2026-6472 | Privilege bypass and arbitrary SQL execution |
| CVE-2026-6473 | Potential RCE and memory corruption |
| CVE-2026-6474 | Server memory information leak |
| CVE-2026-6475 | Arbitrary file overwrite vulnerability |
| CVE-2026-6476 | SQL injection with superuser execution |
| CVE-2026-6477 | Client-side code execution risk |
| CVE-2026-6478 | MD5 credential timing leak |
| CVE-2026-6479 | SSL/GSS denial-of-service flaw |
| CVE-2026-6575 | Limited memory disclosure issue |
| CVE-2026-6637 | Stack overflow and SQL injection |
| CVE-2026-6638 | SQL injection in logical replication |
SQL Injection in Replication Components
The logical replication features contain several SQL injection vulnerabilities that can be exploited for privilege escalation. CVE‑2026‑6476 impacts the pg_createsubscriber function, allowing an attacker with pg_create_subscription rights to inject SQL that executes with superuser privileges when pg_createsubscriber is called.
Another vulnerability, CVE‑2026‑6638, is found in the ALTER SUBSCRIPTION … REFRESH PUBLICATION command. A subscriber table creator can craft table names that trigger arbitrary SQL execution using the publication side’s credentials the next time REFRESH PUBLICATION is executed. These flaws predominantly affect PostgreSQL environments running versions 16–18 that utilize logical replication.
Other Critical Memory and Client-Side Issues
Additional vulnerabilities pose risks to memory safety, denial-of-service scenarios, and client tools. CVE‑2026‑6473 highlights integer wraparound issues that lead to undersized memory allocations and out-of-bounds writes, which can cause segmentation faults when attackers provide specially crafted inputs.
Furthermore, CVE‑2026‑6477 affects the libpq client library, allowing unsafe use of PQfn in large-object helper functions such as lo_export() and lo_read(). This could enable a server superuser to send oversized responses that overwrite stack memory in client tools like psql and pg_dump, potentially resulting in client-side code execution.
Backup utilities are also at risk; CVE‑2026‑6475 permits pg_basebackup (plain format) and pg_rewind to follow symbolic links, leading to arbitrary local file overwrites chosen by the origin superuser, including sensitive files like shell profiles.
As PostgreSQL 14 approaches its end-of-life on November 12, 2026, it will cease to receive updates. Organizations still operating on version 14 should apply the 14.23 update immediately and begin planning a migration to a newer supported branch.
Given the combination of vulnerabilities related to code execution, SQL injection, memory corruption, and client-side risks, these updates should be regarded as urgent, particularly for PostgreSQL deployments exposed to the internet or operating in multi-tenant environments.
Teams are encouraged to prioritize upgrades to versions 18.4, 17.10, 16.14, 15.18, or 14.23 and to review their usage of refint, logical replication, and client tooling as part of their security hardening initiatives.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.