The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws.
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates.
These minor versions address 11 CVEs plus more than 60 bugs reported over the last few months, making this a high‑priority release for production databases.
All supported branches from 14 through 18 are affected by at least some of the issues, so simply running a newer major version does not remove the risk.
Admins can upgrade in place by stopping PostgreSQL and updating binaries; dump/restore, or pg_upgrade is not required for these minor updates.
PostgreSQL Vulnerabilities
Code Execution via refint Module
CVE‑2026‑6637 is one of the most serious bugs, located in the refint module used to enforce referential integrity.
A stack buffer overflow allows an unprivileged database user to execute arbitrary code as the operating system account running PostgreSQL, which means a full server compromise from a database‑level foothold.
A separate attack scenario arises when an application exposes a user‑controlled column as a refint-cascade primary key and allows users to update it.
In this case, a crafted primary key update can trigger SQL injection, allowing the attacker to execute arbitrary SQL with the database privileges of the updating role.
VulnerabilityImpactCVE-2026-6472Privilege bypass and arbitrary SQL executionCVE-2026-6473Potential RCE and memory corruptionCVE-2026-6474Server memory information leakCVE-2026-6475Arbitrary file overwrite vulnerabilityCVE-2026-6476SQL injection with superuser executionCVE-2026-6477Client-side code execution riskCVE-2026-6478MD5 credential timing leakCVE-2026-6479SSL/GSS denial-of-service flawCVE-2026-6575Limited memory disclosure issueCVE-2026-6637Stack overflow and SQL injectionCVE-2026-6638SQL injection in logical replication
SQL Injection in Replication Components
Logical replication features contain multiple SQL injection paths that can be abused for privilege escalation.
CVE‑2026‑6476 affects pg_createsubscriber and lets an attacker with pg_create_subscription rights inject SQL that runs with superuser privileges when pg_createsubscriber is invoked.
CVE‑2026‑6638 resides in ALTER SUBSCRIPTION … REFRESH PUBLICATION.
A subscriber table creator can craft table names that cause arbitrary SQL to execute using the publication side’s credentials, the next time REFRESH PUBLICATION runs.
According to the latest release from PostgreSQL, these flaws primarily affect PostgreSQL 16–18 environments using logical replication.
Other Critical Memory and Client‑Side Issues
Several vulnerabilities affect memory safety, denial-of-service, and client tools.
CVE‑2026‑6473 describes integer wraparound issues that cause undersized memory allocations and out‑of‑bounds writes, leading to segmentation faults when attackers supply crafted inputs.
CVE‑2026‑6477 affects the libpq client library by allowing unsafe use of PQfn in large-object helper functions such as lo_export() and lo_read().
A server superuser can send oversized responses that overwrite stack memory in client tools like psql and pg_dump, potentially leading to client‑side code execution.
Backup utilities are also impacted: CVE‑2026‑6475 allows pg_basebackup (plain format) and pg_rewind to follow symbolic links and overwrite arbitrary local files chosen by the origin superuser, such as shell profiles.
In addition, PostgreSQL 14 is scheduled to reach end‑of‑life on November 12, 2026, after which it will no longer receive fixes.
Organizations still running 14 should both apply 14.23 now and start planning a migration to a newer supported branch.
Given the combination of code execution, SQL injection, memory corruption, and client‑side risks, these updates should be treated as urgent, especially for internet‑exposed or multi‑tenant PostgreSQL deployments.
Teams should prioritize upgrading to 18.4, 17.10, 16.14, 15.18, or 14.23 and review their use of refint, logical replication, and client tooling as part of their hardening efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections appeared first on Cyber Security News.
