Unrated severityNVD Advisory· Published Aug 11, 2023· Updated Nov 21, 2025

Postgresql: merge fails to enforce update or select row security policies

CVE-2023-39418

Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Affected products

Red Hat/Red Hat Enterprise Linux 8v52 versions
cpe:/a:redhat:enterprise_linux:8::appstream+ 1 more
- cpe:/a:redhat:enterprise_linux:8::appstreamrange: 8090020231114113548.a75119d5
- cpe:/o:redhat:enterprise_linux:8
Red Hat/Red Hat Enterprise Linux 9v52 versions
cpe:/a:redhat:enterprise_linux:9::appstream+ 1 more
- cpe:/a:redhat:enterprise_linux:9::appstreamrange: 9030020231120082734.rhel9
- cpe:/o:redhat:enterprise_linux:9
Red Hat/Red Hat Enterprise Linux 8.8 Extended Update Supportv5
cpe:/a:redhat:rhel_eus:8.8::appstream
Range: 8080020231113134015.63b34585
Red Hat/Red Hat Enterprise Linux 9.2 Extended Update Supportv5
cpe:/a:redhat:rhel_eus:9.2::appstream
Range: 9020020231115020618.rhel9
Red Hat/Red Hat Software Collectionsv5
cpe:/a:redhat:rhel_software_collections:3
Red Hat/Red Hat Enterprise Linux 6v5
cpe:/o:redhat:enterprise_linux:6
Red Hat/Red Hat Enterprise Linux 7v5
cpe:/o:redhat:enterprise_linux:7
osv-coords32 versions
pkg:bitnami/postgresql pkg:rpm/almalinux/pgaudit pkg:rpm/almalinux/pg_repack pkg:rpm/almalinux/postgres-decoderbufs pkg:rpm/almalinux/postgresql pkg:rpm/almalinux/postgresql-contrib pkg:rpm/almalinux/postgresql-docs pkg:rpm/almalinux/postgresql-plperl pkg:rpm/almalinux/postgresql-plpython3 pkg:rpm/almalinux/postgresql-pltcl pkg:rpm/almalinux/postgresql-private-devel pkg:rpm/almalinux/postgresql-private-libs pkg:rpm/almalinux/postgresql-server pkg:rpm/almalinux/postgresql-server-devel pkg:rpm/almalinux/postgresql-static pkg:rpm/almalinux/postgresql-test pkg:rpm/almalinux/postgresql-test-rpm-macros pkg:rpm/almalinux/postgresql-upgrade pkg:rpm/almalinux/postgresql-upgrade-devel pkg:rpm/opensuse/postgresql15&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/postgresql15&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/postgresql15&distro=openSUSE%20Tumbleweed pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/postgresql15&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/postgresql15&distro=SUSE%20Manager%20Server%204.2
>= 15.0.0, < 15.4.0+ 31 more
- (no CPE)range: >= 15.0.0, < 15.4.0
- (no CPE)range: < 1.7.0-1.module_el9.2.0+22+09653793
- (no CPE)range: < 1.4.8-1.module_el9.2.0+22+09653793
- (no CPE)range: < 1.9.7-1.Final.module_el9.2.0+22+09653793
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.5-1.module_el9.3.0+52+21733919
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-1.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-3.12.1
- (no CPE)range: < 15.4-3.12.1
- (no CPE)range: < 15.4-3.12.1
- (no CPE)range: < 15.4-150200.5.12.1
- (no CPE)range: < 15.4-150200.5.12.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2023:7785mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2023:7883mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2023:7884mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2023:7885mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/security/cve/CVE-2023-39418mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
git.postgresql.org/gitweb/mitre
www.postgresql.org/support/security/CVE-2023-39418/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000