Autovacuum, REINDEX, and others omit "security restricted operation" sandbox

Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck made incomplete efforts to operate safely when a privileged user is maintaining another user's objects. Those commands activated relevant protections too late or not at all. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under a superuser identity.

While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum, not manually running the above commands, and not restoring from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM is safe, and all commands are fine when a trusted user owns the target object.

The PostgreSQL project thanks Alexander Lakhin for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
14 14.3 May 12, 2022
13 13.7 May 12, 2022
12 12.11 May 12, 2022
11 11.16 May 12, 2022
10 10.21 May 12, 2022

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 8.8
Component core server
Vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.