Server processes unencrypted bytes from man-in-the-middle

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2011-0411 (different product).

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
14 14.1 2021-11-11
13 13.5 2021-11-11
12 12.9 2021-11-11
11 11.14 2021-11-11
10 10.19 2021-11-11
9.6 9.6.24 2021-11-11

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 8.1
Component core server
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.