๐Ÿ” CVE Alert

CVE-2026-54291

UNKNOWN 0.0

Silent channel-binding authentication downgrade via unsupported certificate algorithms

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.

CWE CWE-636 CWE-757
Vendor pgjdbc
Product pgjdbc
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for pgjdbc pgjdbc

Be the first to know when new unknown vulnerabilities affecting pgjdbc pgjdbc are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

pgjdbc / pgjdbc
>= 42.7.4, < 42.7.12

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867 github.com: https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99 github.com: https://github.com/ongres/scram/releases/tag/3.3