Uncontrolled search path element in logical replication

The PostgreSQL search_path setting determines schemas searched for tables, functions, operators, etc. The CVE-2018-1058 fix caused most PostgreSQL-provided client applications to sanitize search_path, but logical replication continued to leave search_path unchanged. Users of a replication publisher or subscriber database can create objects in the public schema and harness them to execute arbitrary SQL functions under the identity running replication, often a superuser. Installations having adopted a documented secure schema usage pattern are not vulnerable.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
12 12.4 2020-08-13
11 11.9 2020-08-13
10 10.14 2020-08-13

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 7.5
Component core server
Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.