CVE-2026-6476

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Published: 5/14/2026 Last updated: 5/15/2026 Reserved: 4/17/2026

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

CNA assigner: PostgreSQL (f86ef6dc-4d3a-42ad-8f28-e6d5547a5007) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.2	High	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (1)

Product	Vendor	Version
PostgreSQL	n/a	6.7

References (2)

Credits (2)

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.
The PostgreSQL project thanks Yu Kunpeng for reporting this problem.