High severity8.8NVD Advisory· Published May 14, 2026· Updated May 14, 2026
CVE-2026-6475
CVE-2026-6475
Description
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
16- [Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)SANS Internet Storm Center · May 15, 2026
- TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)Unit 42 · May 2, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 18SentinelOne Labs · May 1, 2026
- Introducing Dynamic Workflows: durable execution that follows the tenantCloudflare Blog · May 1, 2026
- The never-ending supply chain attacks worm into SAP npm packages, other dev toolsThe Register Security · Apr 30, 2026
- The never-ending supply chain attacks worm into SAP npm packages, other dev toolsThe Register Security · Apr 30, 2026
- TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' AttackDark Reading · Apr 30, 2026
- Another AI-Assisted Software Scan Yields 9-Year-Old Linux BugDark Reading · Apr 30, 2026
- What Happens in the First 24 Hours After a New Asset Goes LiveBleepingComputer · Apr 30, 2026
- Agents can now create Cloudflare accounts, buy domains, and deployCloudflare Blog · Apr 30, 2026
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain AttackThe Hacker News · Apr 29, 2026
- Building the agentic cloud: everything we launched during Agents Week 2026Cloudflare Blog · Apr 20, 2026
- DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the ProxyCheck Point Research · Apr 20, 2026
- ZDI-26-292: QNAP TS-453E QVRPro excpostgres Exposed Dangerous Method Remote Code Execution VulnerabilityZero Day Initiative · Apr 15, 2026
- ZDI-26-212: Schneider Electric EcoStruxure Data Center Expert Hard-coded Password Remote Code Execution VulnerabilityZero Day Initiative · Mar 16, 2026