CVE-2026-6476

HIGH

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Title source: cna

Description

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

References (1)

Core 1

Core References

https://www.postgresql.org/support/security/CVE-2026-6476/

Scores

CVSS v3 7.2

EPSS 0.0003

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (3)

None/PostgreSQL 17 - 17.10

None/PostgreSQL 18 - 18.4

postgresql/postgresql 17.0 - 17.10

Published May 14, 2026

Tracked Since May 14, 2026