CVE-2026-6475 PUBLISHED

PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

Assigner: PostgreSQL
Reserved: 17.04.2026 Published: 14.05.2026 Updated: 15.05.2026

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.4 (excl.) affected from 17 to 17.10 (excl.) affected from 16 to 16.14 (excl.) affected from 15 to 15.18 (excl.) affected from 0 to 14.23 (excl.)

Credits

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-6475/

Problem Types

UNIX Symbolic Link (Symlink) Following CWE