CVE-2026-6638

LOW 3.7

PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

CWE	CWE-89
Vendor	n/a
Product	postgresql
Ecosystems	Database
Industries	Technology
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for n/a postgresql

Be the first to know when new low vulnerabilities affecting n/a postgresql are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / PostgreSQL

18 < 18.4 17 < 17.10 16 < 16.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

postgresql.org: https://www.postgresql.org/support/security/CVE-2026-6638/

Credits

The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.