CVE-2026-6638 – PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

CVE ID :CVE-2026-6638

Published : May 14, 2026, 2:16 p.m. | 42 minutes ago

Description :SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION … REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription’s publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

Severity: 3.7 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-6637 – PostgreSQL refint allows stack buffer overflow and SQL injection

CVE-2026-6575 – PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

CVE-2026-6479 – PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

CVE-2026-6478 – PostgreSQL discloses MD5-hashed passwords via covert timing channel