Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections
Cybersecurity NewsArchived May 19, 2026✓ Full text saved
The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws. PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates. These minor versions address 11 CVEs plus more than 60 bugs reported over the […] The post Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections appeared first on Cyber S
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections
By Abinaya
May 19, 2026
The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws.
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates.
These minor versions address 11 CVEs plus more than 60 bugs reported over the last few months, making this a high‑priority release for production databases.
All supported branches from 14 through 18 are affected by at least some of the issues, so simply running a newer major version does not remove the risk.
Admins can upgrade in place by stopping PostgreSQL and updating binaries; dump/restore, or pg_upgrade is not required for these minor updates.
PostgreSQL Vulnerabilities
Code Execution via refint Module
CVE‑2026‑6637 is one of the most serious bugs, located in the refint module used to enforce referential integrity.
A stack buffer overflow allows an unprivileged database user to execute arbitrary code as the operating system account running PostgreSQL, which means a full server compromise from a database‑level foothold.
A separate attack scenario arises when an application exposes a user‑controlled column as a refint-cascade primary key and allows users to update it.
In this case, a crafted primary key update can trigger SQL injection, allowing the attacker to execute arbitrary SQL with the database privileges of the updating role.
Vulnerability Impact
CVE-2026-6472 Privilege bypass and arbitrary SQL execution
CVE-2026-6473 Potential RCE and memory corruption
CVE-2026-6474 Server memory information leak
CVE-2026-6475 Arbitrary file overwrite vulnerability
CVE-2026-6476 SQL injection with superuser execution
CVE-2026-6477 Client-side code execution risk
CVE-2026-6478 MD5 credential timing leak
CVE-2026-6479 SSL/GSS denial-of-service flaw
CVE-2026-6575 Limited memory disclosure issue
CVE-2026-6637 Stack overflow and SQL injection
CVE-2026-6638 SQL injection in logical replication
SQL Injection in Replication Components
Logical replication features contain multiple SQL injection paths that can be abused for privilege escalation.
CVE‑2026‑6476 affects pg_createsubscriber and lets an attacker with pg_create_subscription rights inject SQL that runs with superuser privileges when pg_createsubscriber is invoked.
CVE‑2026‑6638 resides in ALTER SUBSCRIPTION … REFRESH PUBLICATION.
A subscriber table creator can craft table names that cause arbitrary SQL to execute using the publication side’s credentials, the next time REFRESH PUBLICATION runs.
According to the latest release from PostgreSQL, these flaws primarily affect PostgreSQL 16–18 environments using logical replication.
Other Critical Memory and Client‑Side Issues
Several vulnerabilities affect memory safety, denial-of-service, and client tools.
CVE‑2026‑6473 describes integer wraparound issues that cause undersized memory allocations and out‑of‑bounds writes, leading to segmentation faults when attackers supply crafted inputs.
CVE‑2026‑6477 affects the libpq client library by allowing unsafe use of PQfn in large-object helper functions such as lo_export() and lo_read().
A server superuser can send oversized responses that overwrite stack memory in client tools like psql and pg_dump, potentially leading to client‑side code execution.
Backup utilities are also impacted: CVE‑2026‑6475 allows pg_basebackup (plain format) and pg_rewind to follow symbolic links and overwrite arbitrary local files chosen by the origin superuser, such as shell profiles.
In addition, PostgreSQL 14 is scheduled to reach end‑of‑life on November 12, 2026, after which it will no longer receive fixes.
Organizations still running 14 should both apply 14.23 now and start planning a migration to a newer supported branch.
Given the combination of code execution, SQL injection, memory corruption, and client‑side risks, these updates should be treated as urgent, especially for internet‑exposed or multi‑tenant PostgreSQL deployments.
Teams should prioritize upgrading to 18.4, 17.10, 16.14, 15.18, or 14.23 and review their use of refint, logical replication, and client tooling as part of their hardening efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data
Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks
Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems
Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets
Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results
Latest News
Cyber Security
600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
Botnet
Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity
Cyber Security News
Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain
Cyber Security News
Critical Apache Flink Vulnerability Enables Remote code execution Attacks
Cyber Security News
Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup