BIT-postgresql-2026-6476

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2026-6476.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-postgresql-2026-6476
Aliases
  • CVE-2026-6476
Published
2026-05-18T05:53:03.395Z
Modified
2026-05-18T08:01:11.529138Z
Summary
PostgreSQL pg_createsubscriber allows SQL injection via subscription name
Details

SQL injection in PostgreSQL pgcreatesubscriber allows an attacker with pgcreatesubscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pgcreatesubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Database specific
{
    "cpes": [
        "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / postgresql

Package

Name
postgresql
Purl
pkg:bitnami/postgresql

Severity

  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
17.0.0
Fixed
17.10.0
Introduced
18.0.0
Fixed
18.4.0

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2026-6476.json"