Server processes unencrypted bytes from man-in-the-middle

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2011-0411 (different product).

The PostgreSQL project thanks Jacob Champion for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
14 14.1 Nov. 11, 2021
13 13.5 Nov. 11, 2021
12 12.9 Nov. 11, 2021
11 11.14 Nov. 11, 2021
10 10.19 Nov. 11, 2021
9.6 9.6.24 Nov. 11, 2021

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 8.1
Component core server
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.