CVE-2026-6476 - Vulnerability Details

- PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Description

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Published: 2026-05-14

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An SQL injection flaw exists in the PostgreSQL function pg_createsubscriber that allows an attacker with the pg_create_subscription privilege to inject arbitrary SQL statements. When the next execution of pg_createsubscriber occurs, the application runs the injected code with superuser authority, giving the attacker full control over the database instance, including confidential data, the ability to modify schema or data, and potential to execute system commands if the database configuration permits. The vulnerability is a classic SQL injection weakness (CWE‑89).

Affected Systems

The issue affects PostgreSQL major version 17 from 17.0 up through 17.9, and major version 18 from 18.0 up through 18.3. Any PostgreSQL release prior to 17 is unaffected. Consequently organizations running PostgreSQL 17.1–17.9 or 18.0–18.3 are at risk.

Risk and Exploitability

The CVSS base score of 7.2 indicates a high severity, while no EPSS score is available at this time. The vulnerability is not present in the CISA KEV catalog. Because an attacker must hold pg_create_subscription rights—typically granted to privileged users—this flaw generally requires internal or compromised accounts. However, once enabled, the injected commands execute as superuser, maximizing impact. The flaw is exploitable via normal database usage; no additional network exposure is required beyond legitimate privileged database access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

PostgreSQL

unaffected

Version	Status	Constraints
`18`	affected	< 18.4
`17`	affected	< 17.10

No data.

Vendor Product Confidence Versions

Postgresql

95%

Version	Status	Scheme	Platform
`[18,18.4)`	affected	generic	—
`[17,17.10)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PostgreSQL to version 17.10 or a newer minor release, or to 18.4 or newer, to obtain the vendor patch that fixes the injection flaw.
Restrict the pg_create_subscription privilege to a minimal set of trusted roles and audit any usage of subscription creation commands.
If an immediate upgrade is not feasible, temporarily disable the ability to create subscriptions or block untrusted connection sources from invoking pg_create_subscription until a patch can be applied.

Generated by OpenCVE AI on May 14, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6270-1	postgresql-17 security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.postgresql.org/support/security/CVE-2026-6476/

History

Thu, 14 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Postgresql Postgresql postgresql
Vendors & Products		Postgresql Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.
Title		PostgreSQL pg_createsubscriber allows SQL injection via subscription name
Weaknesses		CWE-89
References		https://www.postgresql.org/support/security/CVE-2026-6476/
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Postgresql Postgresql

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2026-05-14T13:00:11.865Z

Updated: 2026-05-14T15:31:52.892Z

Reserved: 2026-04-17T00:43:55.119Z

Link: CVE-2026-6476

Vulnrichment

Updated: 2026-05-14T15:31:48.922Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:25.230

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6476

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object