SQL injection in PostgreSQL logical replication
ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator
to execute arbitrary SQL with the subscription's publication-side credentials.
The attack takes effect at the next REFRESH PUBLICATION. Within major versions
16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are
affected. Versions before PostgreSQL 16 are unaffected.
The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 18 | 18.4 | 2026-05-12 |
| 17 | 17.10 | 2026-05-12 |
| 16 | 16.14 | 2026-05-12 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 3.7 |
|---|---|
| Component | core server |
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.