The PostgreSQL Global Development Group has released emergency security updates addressing 11 high-severity vulnerabilities across its widely deployed open-source database platform.
The patched versions 18.4, 17.10, 16.14, 15.18, and 14.23 resolve flaws enabling remote code execution (RCE), SQL injection, memory corruption, and denial-of-service (DoS) attacks affecting PostgreSQL versions 14 through 18.
The update also resolves more than 60 non-security bugs spanning query correctness, replication reliability, and backup handling, making it one of the more significant maintenance releases in recent cycles.
High-Severity Vulnerabilities
The most critical flaws carry CVSS scores of 8.8, placing them at the high end of exploitability. Among the standout vulnerabilities:
- CVE-2026-6637 (CVSS 8.8) — A stack buffer overflow and SQL injection flaw in the
refintmodule that can be triggered by an unprivileged user, potentially enabling full remote code execution on the host system. - CVE-2026-6476 (CVSS 7.2) — SQL injection in
pg_createsubscriberpermits execution of arbitrary SQL commands with superuser privileges. - CVE-2026-6477 (CVSS 8.8) —
libpq lo_*functions allow a malicious server to overwrite client-side memory buffers, creating a dangerous memory corruption vector. - CVE-2026-6475 (CVSS 8.8) — A symlink attack in
pg_basebackupandpg_rewindenables overwriting arbitrary files on the system. - CVE-2026-6473 (CVSS 8.8) — An integer wraparound leads to out-of-bounds writes and potential server crashes.
- CVE-2026-6479 (CVSS 7.5) — An SSL/GSS recursion flaw allows denial-of-service through socket connections.
- CVE-2026-6472 (CVSS 5.4) — Missing authorization in
CREATE TYPEenables search_path hijacking to execute arbitrary SQL functions. - CVE-2026-6478 (CVSS 6.5) — A timing side-channel attack exposes MD5-hashed passwords during the authentication handshake.
- CVE-2026-6638 (CVSS 3.7) — SQL injection via table names in logical replication’s
REFRESH PUBLICATIONstatement. - CVE-2026-6474 (CVSS 4.3) — A format string bug in
timeofday()leaks portions of server memory. - CVE-2026-6575 (CVSS 4.3) — A buffer over-read in
pg_restore_attribute_statsaffecting PostgreSQL 18 only.
All installations running PostgreSQL 14 through 18 prior to the patched minor releases remain vulnerable. Enterprise environments exposing replication features, client libraries, or user-controlled input to the database are at elevated risk, as the majority of critical flaws target exactly these attack surfaces.
Mitigation
Organizations should treat this update as urgent and implement the following steps immediately:
- Upgrade to the latest patched versions: 18.4, 17.10, 16.14, 15.18, or 14.23.
- Migrate away from MD5 password authentication and switch to SCRAM-SHA-256.
- Restrict privileges assigned to replication and subscription roles.
- Audit usage of the
refintextension and logical replication configurations. - Monitor for anomalous query patterns or unexpected crashes that may signal active exploitation attempts.
Notably, PostgreSQL 14 reaches end-of-life on November 12, 2026, after which it will receive no further security updates. Administrators still running version 14 should prioritize migration to a supported branch before that deadline.
The release also updates timezone data to tzdata 2026b, incorporating British Columbia’s adoption of permanent daylight saving time beginning November 2026.
No Comment! Be the first one.