Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind
allows an origin superuser to overwrite local files, e.g.
/var/lib/postgres/.bashrc, that hijack the operating system account. It will
remain the case that starting the server after these commands implicitly trusts
the origin superuser, due to features like shared_preload_libraries. Hence, the
attack has practical implications only if one takes relevant action between
these commands and server start, like moving the files to a different VM or
snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and
14.23 are affected.
The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 18 | 18.4 | 2026-05-12 |
| 17 | 17.10 | 2026-05-12 |
| 16 | 16.14 | 2026-05-12 |
| 15 | 15.18 | 2026-05-12 |
| 14 | 14.23 | 2026-05-12 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 8.8 |
|---|---|
| Component | client |
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.