VDB

CVE-2026-6638

CVE-2026-6638 PUBLISHED CVSS 3.700000047683716 LOW

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

EPSS 0.02% · 7.3th percentile

Risk Scores

CVSS v3.1
3.700000047683716
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
EPSS Score
0.02%
7.3th percentile

Affected Products

VendorProductVersions
n/aPostgreSQL18, 17, 16

Timeline

  • May 14, 2026 CVE Published
  • May 14, 2026 CVE Updated
  • May 15, 2026 Security Advisory
  • May 16, 2026 EPSS Score
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›