CVE-2026-6638
Description
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in PostgreSQL's REFRESH PUBLICATION allows subscriber table creators to execute arbitrary SQL with publication-side credentials.
Vulnerability
SQL injection in PostgreSQL's logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials [1]. The bug is triggered by crafting a table name containing SQL injection. Affected versions are PostgreSQL 16 before 16.14, 17 before 17.10, and 18 before 18.4. Versions before 16 are unaffected [1].
Exploitation
An attacker needs to be a user who can create tables on the subscriber and have ALTER SUBSCRIPTION privileges [1]. The attacker creates a table with a name containing SQL injection and then performs ALTER SUBSCRIPTION ... REFRESH PUBLICATION. The attack takes effect at the next REFRESH PUBLICATION, executing arbitrary SQL with the subscription's publication-side credentials [1].
Impact
Successful exploitation allows arbitrary SQL execution with the subscription's publication-side credentials [1]. This can lead to low confidentiality and low integrity impacts, as reflected by the CVSS v3 score of 3.7. The scope remains unchanged [1].
Mitigation
PostgreSQL has released fixed versions: 18.4, 17.10, and 16.14, all published on 2026-05-14 [1]. Users should upgrade to these versions. No workarounds are documented. The vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=16,<16.14 or >=17,<17.10 or >=18,<18.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.postgresql.org/support/security/CVE-2026-6638/nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.