Description
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Published: 2026-05-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from symlink following in PostgreSQL’s pg_basebackup and pg_rewind utilities when used in plain format. An origin superuser can create or modify arbitrary symlinks that point to sensitive host files such as /var/lib/postgres/.bashrc, allowing those files to be overwritten during the backup or rewind process. By replacing a shell initialization file, an attacker can inject malicious commands that execute whenever the associated user logs in, effectively hijacking an operating‑system account. This flaw is caused by symlink following (CWE‑59) and path‑traversal (CWE‑61).

Affected Systems

Affected releases are PostgreSQL versions prior to 18.4, prior to 17.10, prior to 16.14, prior to 15.18, and prior to 14.23. The issue is specific to the PostgreSQL database server product and does not affect other vendors or products.

Risk and Exploitability

The CVSS base score of 8.8 denotes high severity. An EPSS score of 0.00049 (< 1%) indicates a very low but non‑zero probability of exploitation. However, the attack still requires an origin superuser to execute pg_basebackup or pg_rewind and to intervene between those commands and a subsequent server start, which limits the exploit window but does not eliminate risk. Because the vulnerability can modify files that are executed by the database user, it can lead to persistent compromise once the server is restarted. The vulnerability is not listed in the CISA KEV catalog, indicating that known exploits have not yet been observed, but the impact is serious if exploited.

Generated by OpenCVE AI on June 4, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostgreSQL to a fixed release (18.4 or newer, 17.10 or newer, 16.14 or newer, 15.18 or newer, or 14.23 or newer).
  • Restrict the use of pg_basebackup and pg_rewind to a dedicated backup role that has no superuser privileges or that cannot reach critical host paths.
  • Audit and remove any symlinks in backup directories that could resolve to sensitive files, and configure the server to use a strictly scoped backup location that disallows following external symlinks.

Generated by OpenCVE AI on June 4, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6269-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6270-1 postgresql-17 security update
Ubuntu USN Ubuntu USN USN-8294-1 PostgreSQL vulnerabilities
History

Thu, 04 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-15T03:56:16.367Z

Reserved: 2026-04-17T00:43:21.782Z

Link: CVE-2026-6475

cve-icon Vulnrichment

Updated: 2026-05-14T15:31:04.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T14:16:25.113

Modified: 2026-05-18T15:02:12.483

Link: CVE-2026-6475

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T13:00:11Z

Links: CVE-2026-6475 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T02:15:03Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')

  • CWE-61

    UNIX Symbolic Link (Symlink) Following