CVE-2026-54291

MEDIUM

Silent channel-binding authentication downgrade via unsupported certificate algorithms

Title source: cna
STIX 2.1

Description

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.

Scores

CVSS v3 5.9
EPSS 0.0024
EPSS Percentile 14.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-636 CWE-757
Status published
Products (2)
pgjdbc/pgjdbc >= 42.7.4, < 42.7.12
postgresql/postgresql_jdbc_driver 42.7.4 - 42.7.12
Published Jul 06, 2026
Tracked Since Jul 07, 2026