TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution

Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact.

As part of exploiting this vulnerability, the attacker uses CREATE DOMAIN to create a type in a pg_temp schema. The attack pattern and fix are similar to that for CVE-2007-2138.

Writing SECURITY DEFINER functions continues to require following the considerations noted in the documentation:

The PostgreSQL project thanks Tom Lane for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
11 11.5 Aug. 8, 2019
10 10.10 Aug. 8, 2019
9.6 9.6.15 Aug. 8, 2019
9.5 9.5.19 Aug. 8, 2019
9.4 9.4.24 Aug. 8, 2019

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 7.5
Component core server
Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.