CVE-2026-6638

PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

Published: 5/14/2026 Last updated: 5/14/2026 Reserved: 4/19/2026

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

CNA assigner: PostgreSQL (f86ef6dc-4d3a-42ad-8f28-e6d5547a5007) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	3.7	Low	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (1)

Product	Vendor	Version
PostgreSQL	n/a	n/a

References (1)

https://www.postgresql.org/support/security/CVE-2026-6638/

Credits (1)

The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.