Description
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Published: 2026-05-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from symlink following in PostgreSQL’s pg_basebackup and pg_rewind utilities when used in plain format. An origin superuser can create or modify arbitrary symlinks that point to sensitive host files such as /var/lib/postgres/.bashrc, allowing those files to be overwritten during the backup or rewind process. By replacing a shell initialization file, an attacker can inject malicious commands that execute whenever the associated user logs in, effectively hijacking an operating‑system account. This flaw is a classic path‑traversal weakness (CWE‑61).

Affected Systems

Affected releases are PostgreSQL versions prior to 18.4, prior to 17.10, prior to 16.14, prior to 15.18, and prior to 14.23. The issue is specific to the PostgreSQL database server product and does not affect other vendors or products.

Risk and Exploitability

The CVSS base score of 8.8 denotes high severity. No EPSS score is available, so the precise likelihood of exploitation cannot be quantified; however, the attack requires an origin superuser to execute pg_basebackup or pg_rewind and must intervene between those commands and a subsequent server start, which limits the attack window but does not eliminate risk. Because the vulnerability can modify files that are executed by the database user, it can lead to persistent compromise once the server is restarted. The vulnerability is not listed in the CISA KEV catalog, indicating that known exploits have not yet been observed, but the impact is serious if exploited.

Generated by OpenCVE AI on May 14, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PostgreSQL to a fixed release (18.4 or newer, 17.10 or newer, 16.14 or newer, 15.18 or newer, or 14.23 or newer).
  • Restrict the use of pg_basebackup and pg_rewind to a dedicated backup role that has no superuser privileges or that cannot reach critical host paths.
  • Audit and remove any symlinks in backup directories that could resolve to sensitive files, and configure the server to use a strictly scoped backup location that disallows following external symlinks.

Generated by OpenCVE AI on May 14, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6269-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6270-1 postgresql-17 security update
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-14T15:31:10.375Z

Reserved: 2026-04-17T00:43:21.782Z

Link: CVE-2026-6475

cve-icon Vulnrichment

Updated: 2026-05-14T15:31:04.651Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:25.113

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses