Extension script @substitutions@ within quoting allow SQL injection

An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.

The PostgreSQL project thanks Micah Gates, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
15 15.4 Aug. 10, 2023
14 14.9 Aug. 10, 2023
13 13.12 Aug. 10, 2023
12 12.16 Aug. 10, 2023
11 11.21 Aug. 10, 2023

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 7.5
Component core server
Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.