VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 22, 2025· Updated Apr 15, 2026

CVE-2025-2506

CVE-2025-2506

Description

When pglogical attempts to replicate data, it does not verify it is using a replication connection, which means a user with CONNECT access to a database configured for replication can execute the pglogical command to obtain read access to replicated tables. When pglogical runs it should verify it is running on a replication connection but does not perform this check. This vulnerability was introduced in the pglogical 3.x codebase, which is proprietary to EDB. The same code base has been integrated into BDR/PGD 4 and 5. To exploit the vulnerability the attacker needs at least CONNECT permissions to a database configured for replication and must understand a number of pglogical3/BDR specific commands and be able to decode the binary protocol.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

pglogical 3.x and BDR/PGD 4/5 fail to verify replication connections, allowing users with CONNECT access to read replicated tables.

## Vulnerability pglogical, a PostgreSQL extension for logical replication, does not verify that it is using a replication connection when replicating data [1]. This allows a user with CONNECT privileges on a database configured for replication to execute pglogical commands and gain read access to replicated tables. The flaw exists in the proprietary pglogical 3.x codebase and has been integrated into EDB's BDR/PGD 4 and 5 products.

Exploitation

To exploit, an attacker needs CONNECT permissions on a database that is set up for replication and must understand pglogical3/BDR-specific commands and be able to decode the binary protocol [1]. The attack complexity is high due to these requirements.

Impact and

Mitigation The vulnerability exposes replicated table data to unauthorized users, potentially leaking sensitive information. EDB has released fixes in pglogical 3.7.26-ELS, BDR/PGD 4.3.8-ELS, and BDR/PGD 5.8.0 [1]. Users should upgrade to these versions or later.

References
  1. CVE-2025-2506 - pglogical 3.x, BDR/PGD 4.x and BDR/PGD 5.x allow unauthorized reads

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.