Critical PostgreSQL Vulnerabilities Enable Remote Code Execution and SQL Injection
Severity: High (Score: 72.0)
Sources: Heise.De, nvd.nist.gov, Ccb.Belgium.Be, Cybersecuritynews, github.com
Published: · Updated:
Keywords: postgresql, remote, code, execution, injection, released, critical
Severity indicators: critical, remote code execution, ot
Summary
PostgreSQL has released security updates addressing multiple high-risk vulnerabilities that could lead to remote code execution (RCE) and SQL injection attacks. The updates, available in versions 18.4, 17.10, 16.14, 15.18, and 14.23, fix eleven vulnerabilities, including CVE-2026-6473, CVE-2026-6475, and CVE-2026-6637, all rated CVSS 8.8. Attackers could exploit these flaws to execute arbitrary code, overwrite local files, and inject SQL commands. The vulnerabilities affect widely deployed PostgreSQL database environments. IT managers are urged to apply the updates promptly to mitigate risks. Additionally, over 60 bugs have been resolved in these updates. The vulnerabilities were disclosed on May 14, 2026, and are considered critical due to their potential impact on database security. Key Points: • PostgreSQL released updates for 11 high-risk vulnerabilities affecting multiple versions. • Critical vulnerabilities include remote code execution and SQL injection risks. • IT managers are urged to update their systems immediately to mitigate potential attacks.
Detailed Analysis
**Impact** All organizations using PostgreSQL databases across all supported branches are affected, including versions 14.23 through 18.4. The vulnerabilities enable remote code execution, SQL injection, and denial-of-service attacks, potentially compromising database integrity and allowing attackers to execute arbitrary commands on the host system. This impacts sectors relying on PostgreSQL for critical data storage and processing globally, with no geographic limitations specified. Data at risk includes sensitive business information and credentials stored within affected database environments. **Technical Details** Attackers can exploit an integer underflow (CVE-2026-6473), symbolic link following vulnerability (CVE-2026-6475), stack memory overwrite (CVE-2026-6477), and a stack-based buffer overflow in the refint module (CVE-2026-6637) to achieve remote code execution and SQL injection. A proof-of-concept exploit exists for CVE-2026-2005 in the pgcrypto extension, enabling privilege escalation and arbitrary command execution. Exploits target both database users with low privileges and server superusers, affecting multiple PostgreSQL versions. No specific malware or IOCs were reported. **Recommended Response** Apply PostgreSQL updates immediately by upgrading to versions 18.4, 17.10, 16.14, 15.18, or 14.23 to remediate all eleven vulnerabilities and over 60 bugs. Harden configurations to restrict superuser privileges and monitor for unusual file modifications, especially in system files like “/var/lib/postgres/.bashrc.” Deploy detection rules for anomalous SQL injection patterns and remote code execution attempts. In absence of specific IOCs, continuous monitoring of PostgreSQL logs and network traffic for suspicious activity is advised.
Source articles (13)
- 20-Year — Gbhackers · 2026-05-19
A newly released proof-of-concept (PoC) exploit for CVE-2026-2005 has brought renewed attention to a critical vulnerability in PostgreSQL’s pgcrypto extension, exposing systems to remote code executio… - CVE 2026 6477 — nvd.nist.gov · 2026-05-20
Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a clie… - Bouncer Overflow — github.com · 2026-05-20
- Changelog — www.pgbouncer.org · 2026-05-20
2026-05-08 - PgBouncer 1.25.2 - “Human touch with fresh twist in title race full of uncertainties” 2025-12-03 - PgBouncer 1.25.1 - “Fixing a bunch of bugs before Christmas” Fix CVE-2025-12819: Before… - CVE 2026 6475 — nvd.nist.gov · 2026-05-20
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system accoun… - CVE 2026 6473 — nvd.nist.gov · 2026-05-20
Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code a… - Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections — Cybersecuritynews · 2026-05-19
The PostgreSQL Global Development Group has released critical security updates for all supported branches, fixing 11 vulnerabilities, including arbitrary code execution and several SQL injection flaws… - Warning: PostgreSQL patches multiple vulnerabilities and announces EOL date for version ... — Ccb.Belgium.Be · 2026-05-20
PostgreSQL - PostgreSQL is the world's most widely deployed open-source relational database. Its ubiquity makes it a high-value target: compromising a PostgreSQL instance typically means compromising… - PoC Exploit Released for 20 — Cybersecuritynews · 2026-05-20
A proof-of-concept (PoC) exploit has been publicly released for CVE-2026-2005, a critical remote code execution (RCE) vulnerability affecting PostgreSQL’s pgcrypto extension. The flaw, rooted in legac… - Warning: Actively exploited Integer Overflow in PgBouncer, Patch Immediately! — Ccb.Belgium.Be · 2026-05-20
PgBouncer is an open-source connection pooler for PostgreSQL, available free of charge. In early May 2026, a vulnerability affecting PgBouncer was discovered, which affects all versions prior to 1.25.… - PostgreSQL: Updates patch high-risk security vulnerabilities — Heise.De · 2026-05-18
Several security vulnerabilities have been discovered in the PostgreSQL database, which could allow attackers to inject SQL commands, among other things. Updated software is available. IT managers sho… - PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection — Gbhackers · 2026-05-19
PostgreSQL has released critical security updates addressing multiple high-impact vulnerabilities that could allow remote code execution (RCE), SQL injection, and denial-of-service (DoS) attacks acros… - CVE 2026 6637 — nvd.nist.gov · 2026-05-20
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if t…
Timeline
- 2026-02-12 — CVE-2026-2005 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-05-14 — Multiple PostgreSQL vulnerabilities disclosed: Eleven vulnerabilities were published, including CVE-2026-6473 and CVE-2026-6475, rated CVSS 8.8.
- 2026-05-14 — CVE-2026-6637 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-05-14 — CVE-2026-6475 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-05-14 — CVE-2026-6473 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-05-14 — CVE-2026-6477 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-05-18 — Security updates released: PostgreSQL versions 18.4, 17.10, 16.14, 15.18, and 14.23 were released to address the vulnerabilities.
- 2026-05-19 — Security advisory issued: IT managers are urged to apply the updates quickly to protect against potential exploitation.
CVEs
Related entities
- Denial-of-Service (Attack Type)
- Sql Injection (Attack Type)
- Zero-day Exploit (Attack Type)
- CWE-120 - Classic Buffer Overflow (Cwe)
- Cwe-89 - SQL Injection (Cwe)
- german.it (Domain)
- T1059 - Command and Scripting Interpreter (Mitre Attack)
- Linux (Platform)
- PostgreSQL (Platform)