CVE-2026-6476 PUBLISHED

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Assigner: PostgreSQL
Reserved: 17.04.2026 Published: 14.05.2026 Updated: 15.05.2026

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.4 (excl.) affected from 17 to 17.10 (excl.)

Affected Configurations

attacker has pg_create_subscription rights

Credits

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-6476/

Problem Types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE