CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws. PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates. These minor versions address 11 CVEs plus more than 60 bugs reported over the […] The post Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections appeared first on Cyber S

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections By Abinaya May 19, 2026 The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws. PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates. These minor versions address 11 CVEs plus more than 60 bugs reported over the last few months, making this a high‑priority release for production databases. All supported branches from 14 through 18 are affected by at least some of the issues, so simply running a newer major version does not remove the risk. Admins can upgrade in place by stopping PostgreSQL and updating binaries; dump/restore, or pg_upgrade is not required for these minor updates. PostgreSQL Vulnerabilities Code Execution via refint Module CVE‑2026‑6637 is one of the most serious bugs, located in the refint module used to enforce referential integrity. A stack buffer overflow allows an unprivileged database user to execute arbitrary code as the operating system account running PostgreSQL, which means a full server compromise from a database‑level foothold. A separate attack scenario arises when an application exposes a user‑controlled column as a refint-cascade primary key and allows users to update it. In this case, a crafted primary key update can trigger SQL injection, allowing the attacker to execute arbitrary SQL with the database privileges of the updating role. Vulnerability Impact CVE-2026-6472 Privilege bypass and arbitrary SQL execution CVE-2026-6473 Potential RCE and memory corruption CVE-2026-6474 Server memory information leak CVE-2026-6475 Arbitrary file overwrite vulnerability CVE-2026-6476 SQL injection with superuser execution CVE-2026-6477 Client-side code execution risk CVE-2026-6478 MD5 credential timing leak CVE-2026-6479 SSL/GSS denial-of-service flaw CVE-2026-6575 Limited memory disclosure issue CVE-2026-6637 Stack overflow and SQL injection CVE-2026-6638 SQL injection in logical replication SQL Injection in Replication Components Logical replication features contain multiple SQL injection paths that can be abused for privilege escalation. CVE‑2026‑6476 affects pg_createsubscriber and lets an attacker with pg_create_subscription rights inject SQL that runs with superuser privileges when pg_createsubscriber is invoked. CVE‑2026‑6638 resides in ALTER SUBSCRIPTION … REFRESH PUBLICATION. A subscriber table creator can craft table names that cause arbitrary SQL to execute using the publication side’s credentials, the next time REFRESH PUBLICATION runs. According to the latest release from PostgreSQL, these flaws primarily affect PostgreSQL 16–18 environments using logical replication. Other Critical Memory and Client‑Side Issues Several vulnerabilities affect memory safety, denial-of-service, and client tools. CVE‑2026‑6473 describes integer wraparound issues that cause undersized memory allocations and out‑of‑bounds writes, leading to segmentation faults when attackers supply crafted inputs. CVE‑2026‑6477 affects the libpq client library by allowing unsafe use of PQfn in large-object helper functions such as lo_export() and lo_read(). A server superuser can send oversized responses that overwrite stack memory in client tools like psql and pg_dump, potentially leading to client‑side code execution. Backup utilities are also impacted: CVE‑2026‑6475 allows pg_basebackup (plain format) and pg_rewind to follow symbolic links and overwrite arbitrary local files chosen by the origin superuser, such as shell profiles. In addition, PostgreSQL 14 is scheduled to reach end‑of‑life on November 12, 2026, after which it will no longer receive fixes. Organizations still running 14 should both apply 14.23 now and start planning a migration to a newer supported branch. Given the combination of code execution, SQL injection, memory corruption, and client‑side risks, these updates should be treated as urgent, especially for internet‑exposed or multi‑tenant PostgreSQL deployments. Teams should prioritize upgrading to 18.4, 17.10, 16.14, 15.18, or 14.23 and review their use of refint, logical replication, and client tooling as part of their hardening efforts. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results Latest News Cyber Security 600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack Botnet Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity Cyber Security News Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain Cyber Security News Critical Apache Flink Vulnerability Enables Remote code execution Attacks Cyber Security News Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗