VYPR
High severity7.8NVD Advisory· Published May 12, 2026· Updated May 21, 2026

CVE-2026-32687

CVE-2026-32687

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.

The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.

This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1.

This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
postgrexHex
>= 0.16.0, < 0.22.20.22.2

Affected products

3
  • Ecto/Postgrexreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*range: >=0.16.0,<0.22.0
    • (no CPE)range: >=0.16.0, <0.22.2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.