CVE-2026-6476
Description
SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection flaw in PostgreSQL pg_createsubscriber lets users with subscription creation rights execute arbitrary SQL as superuser when the tool next runs.
Vulnerability
Analysis
CVE-2026-6476 is a SQL injection vulnerability in the PostgreSQL utility pg_createsubscriber. The flaw allows an attacker who possesses the pg_create_subscription privilege to inject arbitrary SQL commands that are executed with superuser privileges. The injection occurs through the subscription name parameter, and the malicious SQL is executed the next time pg_createsubscriber is run [1].
Attack
Surface and Exploitation
The attack requires a database user with the pg_create_subscription right, which is a high-privilege role but not necessarily superuser. An attacker with this permission can craft a subscription name containing SQL injection payloads. The exploit does not take effect immediately but is triggered when the pg_createsubscriber command is executed, making it a stored or deferred injection [1].
Impact
Successful exploitation allows the attacker can execute arbitrary SQL statements as a superuser. This allows full control over the database, including reading, modifying, or deleting data, and potentially executing operating system commands through database extensions [1].
Mitigation
PostgreSQL has released fixed versions: 18.4 and 17.10, published on 2026-05-14. Users running PostgreSQL 17 or 18 should update to the latest minor release. Versions before 17 are not affected. No workaround other than updating is mentioned in the advisory [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >= 17, < 17.10 || >= 18, < 18.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.postgresql.org/support/security/CVE-2026-6476/nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.