SecuriTricks - CVE-2026-6638

Description

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

Product(s) Impacted

Vendor	Product	Versions
Postgresql	Postgresql	18.0-18.3, 17.0-17.9, 16.0-16.13

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	postgresql	postgresql	18.0-18.3	/	/	/	/	/	/	/
a	postgresql	postgresql	17.0-17.9	/	/	/	/	/	/	/
a	postgresql	postgresql	16.0-16.13	/	/	/	/	/	/	/

References

https://www.postgresql.org/support/security/CVE-2026-6638/

CVSS Score

3.7 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: May 14, 2026, 2:16 p.m.
Last Modified: May 14, 2026, 4:21 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

CVE-2026-6638