CVE-2026-6475

HIGH 8.8

PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CWE	CWE-61
Vendor	n/a
Product	postgresql
Ecosystems	Database
Industries	Technology
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for n/a postgresql

Be the first to know when new high vulnerabilities affecting n/a postgresql are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / PostgreSQL

18 < 18.4 17 < 17.10 16 < 16.14 15 < 15.18 0 < 14.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

postgresql.org: https://www.postgresql.org/support/security/CVE-2026-6475/

Credits

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.