Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections

The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws.

PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates.

These minor versions address 11 CVEs plus more than 60 bugs reported over the last few months, making this a high‑priority release for production databases.

All supported branches from 14 through 18 are affected by at least some of the issues, so simply running a newer major version does not remove the risk.

Admins can upgrade in place by stopping PostgreSQL and updating binaries; dump/restore, or pg_upgrade is not required for these minor updates.

PostgreSQL Vulnerabilities

Code Execution via refint Module

CVE‑2026‑6637 is one of the most serious bugs, located in the refint module used to enforce referential integrity.

A stack buffer overflow allows an unprivileged database user to execute arbitrary code as the operating system account running PostgreSQL, which means a full server compromise from a database‑level foothold.

A separate attack scenario arises when an application exposes a user‑controlled column as a refint-cascade primary key and allows users to update it.

In this case, a crafted primary key update can trigger SQL injection, allowing the attacker to execute arbitrary SQL with the database privileges of the updating role.

Vulnerability	Impact
CVE-2026-6472	Privilege bypass and arbitrary SQL execution
CVE-2026-6473	Potential RCE and memory corruption
CVE-2026-6474	Server memory information leak
CVE-2026-6475	Arbitrary file overwrite vulnerability
CVE-2026-6476	SQL injection with superuser execution
CVE-2026-6477	Client-side code execution risk
CVE-2026-6478	MD5 credential timing leak
CVE-2026-6479	SSL/GSS denial-of-service flaw
CVE-2026-6575	Limited memory disclosure issue
CVE-2026-6637	Stack overflow and SQL injection
CVE-2026-6638	SQL injection in logical replication

SQL Injection in Replication Components

Logical replication features contain multiple SQL injection paths that can be abused for privilege escalation.

CVE‑2026‑6476 affects pg_createsubscriber and lets an attacker with pg_create_subscription rights inject SQL that runs with superuser privileges when pg_createsubscriber is invoked.

CVE‑2026‑6638 resides in ALTER SUBSCRIPTION … REFRESH PUBLICATION.

A subscriber table creator can craft table names that cause arbitrary SQL to execute using the publication side’s credentials, the next time REFRESH PUBLICATION runs.

According to the latest release from PostgreSQL, these flaws primarily affect PostgreSQL 16–18 environments using logical replication.

Other Critical Memory and Client‑Side Issues

Several vulnerabilities affect memory safety, denial-of-service, and client tools.

CVE‑2026‑6473 describes integer wraparound issues that cause undersized memory allocations and out‑of‑bounds writes, leading to segmentation faults when attackers supply crafted inputs.

CVE‑2026‑6477 affects the libpq client library by allowing unsafe use of PQfn in large-object helper functions such as lo_export() and lo_read().

A server superuser can send oversized responses that overwrite stack memory in client tools like psql and pg_dump, potentially leading to client‑side code execution.

Backup utilities are also impacted: CVE‑2026‑6475 allows pg_basebackup (plain format) and pg_rewind to follow symbolic links and overwrite arbitrary local files chosen by the origin superuser, such as shell profiles.

In addition, PostgreSQL 14 is scheduled to reach end‑of‑life on November 12, 2026, after which it will no longer receive fixes.

Organizations still running 14 should both apply 14.23 now and start planning a migration to a newer supported branch.

Given the combination of code execution, SQL injection, memory corruption, and client‑side risks, these updates should be treated as urgent, especially for internet‑exposed or multi‑tenant PostgreSQL deployments.

Teams should prioritize upgrading to 18.4, 17.10, 16.14, 15.18, or 14.23 and review their use of refint, logical replication, and client tooling as part of their hardening efforts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.