CVE-2026-6472

Vulnerability

Overview

CVE-2026-6472 is a missing authorization vulnerability in PostgreSQL's CREATE TYPE command. The core issue is that when creating a user-defined type, PostgreSQL does not properly check the CREATE privilege on the schema for multirange types. This oversight allows an object creator to define a type that can be used to hijack other queries that rely on search_path to locate user-defined types, including those provided by extensions [1].

Exploitation

An attacker with the ability to create types in a schema that appears earlier in the victim's search_path can craft a malicious type. When the victim executes a query that uses search_path to find a type (for example, a function or operator that references a type by its unqualified name), the attacker's type is resolved instead of the intended one. This leads to the victim executing arbitrary SQL functions of the attacker's choice [1]. The attack requires the attacker to have the CREATE privilege on a schema that is searched before the legitimate type's schema, and the victim expects.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL functions in the context of the victim's session. This can lead to unauthorized data access (confidentiality impact) and unauthorized modification of data (integrity impact). The CVSS v3 base score is 5.4 (Medium), with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating low complexity and no user interaction beyond the victim running a query [1].

Mitigation

The vulnerability affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23. The fix was published on 2026-05-14. Users should upgrade to the fixed versions immediately. No workarounds are mentioned in the advisory [1].