PostgreSQL Archives

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Tech Optimizer

May 22, 2026

AI Data Platform Modernization in Financial Services | Microsoft Azure PostgreSQL | The Microsoft Cloud Blog

Financial service institutions are increasingly exploring AI applications to alleviate operational burdens and gain a competitive edge, but face challenges with legacy data infrastructures that may not meet modern demands. The need for continuous availability and compliance is critical, as even brief downtime can have catastrophic consequences. Aging databases struggle with high-volume transactions and real-time analytics, prompting a focus on predictive maintenance and infrastructure automation. Microsoft Azure's PostgreSQL managed services, including Azure Database for PostgreSQL, address these challenges by providing flexible performance scaling and ensuring high availability. The service can trigger automatic failover within 60 to 120 seconds during outages, guaranteeing up to a 99.99% availability SLA. It supports read replicas for offloading analytics without impacting primary database performance and offers layered security controls, including encryption at rest and network isolation. Azure Database for PostgreSQL simplifies compliance with standards such as PCI DSS and SOC by enabling centralized identity and access management through Microsoft Entra ID authentication. It integrates seamlessly with the Microsoft ecosystem, allowing organizations to connect data to analytics and AI services without complex ETL processes. BNY Mellon successfully modernized its data platform by migrating to Azure Database for PostgreSQL in nine months, achieving improved resilience and allowing engineering teams to focus on innovation. The platform supports high availability, backup capabilities, and extensibility, empowering financial institutions to remain innovative in the era of AI.

Tech Optimizer

May 21, 2026

CVE-2024-55638: Highly Critical Drupal Core Vulnerability Threatens PostgreSQL Sites with Remote Code Execution (RCE)

A critical vulnerability, CVE-2024-55638, has been identified in Drupal Core, affecting installations using PostgreSQL as their backend database. This vulnerability involves PHP Object Injection, which can lead to full Remote Code Execution (RCE) when combined with another deserialization flaw. It cannot be exploited independently but increases the risk for Drupal installations that use third-party modules or custom code that improperly employs the unserialize() function. The affected versions include Drupal Core 7.x prior to 7.102, 8.0.0 and above prior to 10.2.11, and 10.3.0 prior to 10.3.9, with patched versions being 7.102, 10.2.11, and 10.3.9. The vulnerability is particularly relevant for sites using PostgreSQL, and organizations are urged to upgrade to the patched versions and audit their code for unsafe unserialize() usage. Currently, there are no confirmed reports of exploitation in the wild, but the risk remains high due to insecure deserialization bugs in third-party modules. The EPSS score for this vulnerability is 9.93%, indicating a significant likelihood of exploitation in the near future.

Tech Optimizer

May 21, 2026

The HackerNoon Newsletter: It’s 2026, Just Use Postgres (5/17/2026)

Recent advancements in technology include the integration of artificial intelligence and machine learning into business operations, leading to enhanced efficiency and productivity. Automation tools are being adopted to streamline workflows, reduce human error, and improve employee satisfaction. Organizations are leveraging data analytics to gain insights for strategic decision-making, using predictive analytics to anticipate market trends and consumer behavior. Additionally, there is a growing emphasis on cybersecurity, with companies investing in robust security measures to protect sensitive information and maintain consumer trust.

Tech Optimizer

May 21, 2026

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has announced critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which allows attackers to execute remote code, escalate privileges, or disclose sensitive information. The vulnerability has a CVSS score of 6.5 and affects only sites using PostgreSQL databases. It can be exploited by anonymous users and is rooted in a database abstraction API used for query validation and SQL injection prevention. Updates have been released for the following versions: - Drupal 11.3.10 - Drupal 11.2.12 - Drupal 11.1.10 - Drupal 10.6.9 - Drupal 10.5.10 - Drupal 10.4.10 Drupal 7 is not impacted by this vulnerability. Users on unsupported versions 9 and 8 can access manual patches for: - Drupal 9.5 - Drupal 8.9 Drupal has stated that versions 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage, and that both Drupal 8 and 9 have reached end-of-life status. Patches for unsupported versions are provided as a best effort, but users should be aware of potential other vulnerabilities.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

Critical PostgreSQL Flaws Enable Code Execution and SQL Injection

On May 14, 2026, PostgreSQL released critical security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 Common Vulnerabilities and Exposures (CVEs) related to stack buffer overflows, SQL injection, memory disclosure, and denial-of-service vulnerabilities. The most critical vulnerability, CVE-2026-6637, has a CVSS score of 8.8 and allows remote, unprivileged database users to execute arbitrary code. Other notable vulnerabilities include CVE-2026-6473, which affects memory allocation leading to potential memory corruption, and CVE-2026-6475, which allows overwriting sensitive OS-level files. Additional vulnerabilities include SQL injection flaws and authentication issues, with various CVSS scores ranging from 3.7 to 7.5. The updates can be implemented without a database dump, and PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

PoC Exploit Released for 20-Year Old PostgreSQL RCE Vulnerability

A proof-of-concept exploit has been developed for CVE-2026-2005, a remote code execution vulnerability in the pgcrypto extension of PostgreSQL. This vulnerability, stemming from legacy code, allows attackers to trigger a heap-based buffer overflow through specially crafted PGP messages, enabling arbitrary memory read and write operations. Successful exploitation can escalate privileges to PostgreSQL superuser status and execute commands on the operating system. The exploit targets PostgreSQL instances compiled from a specific vulnerable commit and circumvents protections like Address Space Layout Randomization (ASLR). It involves corrupting heap memory structures, leading to a controlled pointer leak that reveals the heap layout. Security researcher Varik Matevosyan has published the PoC on GitHub, demonstrating the exploitation process. The exploit requires a compatible PostgreSQL binary and utilizes Python-based tools for interaction. Organizations are advised to review their PostgreSQL deployments, disable unnecessary extensions, and apply security updates to mitigate risks.

Tech Optimizer

May 20, 2026

PostgreSQL backup tool gets some backup of its own after sole maintainer sounds alarm

A coalition of companies, including AWS, Percona, Supabase, pgEdge, and Tiger Data, has formed to support the maintenance of pgBackRest, an extension for the PostgreSQL database, after its long-time maintainer, David Steele, could no longer continue due to a lack of sponsorship following the acquisition of Crunchy Data by Snowflake. pgBackRest is a backup and restore solution for PostgreSQL, which is widely used by major cloud service providers. Steele had been seeking sponsorship to maintain the project but was unsuccessful, prompting concerns about its future. The coalition aims to provide stability and reduce reliance on a single sponsor by onboarding a new maintainer and seeking additional support. Percona's CEO emphasized the importance of collaboration to ensure the project's health for the community.

Tech Optimizer

May 19, 2026

20-Year-Old PostgreSQL Flaw Gets Public PoC Exploit for Remote Code Execution

A proof-of-concept exploit for CVE-2026-2005 has been released, highlighting a significant vulnerability in the PostgreSQL pgcrypto extension that allows for remote code execution (RCE). This flaw, rooted in legacy code for nearly 20 years, enables attackers to escalate privileges and execute arbitrary commands on compromised servers. The vulnerability is found in the PGP session key parsing logic of the pgcrypto module and involves a heap-based buffer overflow, granting attackers arbitrary read and write access to memory. The exploit, shared by researcher “var77” on GitHub, demonstrates a multi-stage process that bypasses modern security measures like Address Space Layout Randomization (ASLR) using specially crafted PGP messages. The attack involves several steps, including heap pointer leakage, arbitrary memory read, identification of executable memory regions, and privilege escalation to the PostgreSQL superuser level, ultimately allowing the execution of OS-level commands. The vulnerability affects PostgreSQL deployments with the pgcrypto extension enabled, particularly those using vulnerable code versions. Successful exploitation can lead to full database compromise, unauthorized data access or modification, and potential lateral movement within networks. Organizations are advised to update PostgreSQL, restrict pgcrypto usage, limit user privileges, and monitor for unusual activity to mitigate risks.