Description
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Published: 2026-05-14
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because PostgreSQL does not verify that a role creating a user‑defined type has the proper CREATE privilege on the target schema. An attacker who can create a type can manipulate internal search_path logic to cause a victim database session to execute arbitrary SQL functions chosen by the attacker, leading to potential data disclosure, tampering, or denial of service. The flaw is classified as CWE‑862.

Affected Systems

PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. The issue is localized to the PostgreSQL database engine and does not impact other products.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity; the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog, implying no known public exploits. Exploitation requires a role with CREATE TYPE capability, which is typically restricted to privileged accounts or application contexts. While the attack vector is not stated explicitly, it is reasonable to infer that local or application‑level exploitation is possible, as the flaw relies on internal privilege misuse rather than remote network access. Nevertheless, arbitrary SQL execution represents a significant risk to confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official PostgreSQL patch or upgrade to a supported release that fixes the issue (18.4 or later).
  • If patching is delayed, revoke the CREATE TYPE privilege from non‑administrative roles or restrict its use to trusted accounts.
  • Configure database logging and regularly audit logs for anomalous search_path manipulation or unexpected function calls.

Generated by OpenCVE AI on May 14, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6269-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6270-1 postgresql-17 security update
History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-14T13:43:48.103Z

Reserved: 2026-04-17T00:23:44.190Z

Link: CVE-2026-6472

cve-icon Vulnrichment

Updated: 2026-05-14T13:43:44.465Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:24.757

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses