UBUNTU-CVE-2026-6638
- Source
- https://ubuntu.com/security/CVE-2026-6638
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-6638.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-6638
- Upstream
- Downstream
- Related
- Published
- 2026-05-14T14:16:00Z
- Modified
- 2026-05-21T23:15:06.477267216Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.
- References
Affected packages
Ubuntu:20.04:LTS
postgresql-12
Package
- Name
- postgresql-12
- Purl
- pkg:deb/ubuntu/postgresql-12?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
12.*
12.0-1
12.1-1
12.1-2build1
12.2-1
12.2-1ubuntu2
12.2-4
12.4-0ubuntu0.20.04.1
12.5-0ubuntu0.20.04.1
12.6-0ubuntu0.20.04.1
12.7-0ubuntu0.20.04.1
12.8-0ubuntu0.20.04.1
12.9-0ubuntu0.20.04.1
12.10-0ubuntu0.20.04.1
12.11-0ubuntu0.20.04.1
12.12-0ubuntu0.20.04.1
12.13-0ubuntu0.20.04.1
12.14-0ubuntu0.20.04.1
12.15-0ubuntu0.20.04.1
12.16-0ubuntu0.20.04.1
12.17-0ubuntu0.20.04.1
12.18-0ubuntu0.20.04.1
12.19-0ubuntu0.20.04.1
12.20-0ubuntu0.20.04.1
12.22-0ubuntu0.20.04.1
12.22-0ubuntu0.20.04.2
12.22-0ubuntu0.20.04.4
Ecosystem specific
{
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "libecpg6",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "libpgtypes3",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "libpq5",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-client-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-doc-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-plperl-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-plpython3-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-pltcl-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
},
{
"binary_name": "postgresql-server-dev-12",
"binary_version": "12.22-0ubuntu0.20.04.4"
}
]
}Ubuntu:22.04:LTS
postgresql-14
Package
- Name
- postgresql-14
- Purl
- pkg:deb/ubuntu/postgresql-14?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed14.23-0ubuntu0.22.04.1
Affected versions
14.*
14.1-1ubuntu1
14.2-1
14.2-1ubuntu1
14.3-0ubuntu0.22.04.1
14.4-0ubuntu0.22.04.1
14.5-0ubuntu0.22.04.1
14.6-0ubuntu0.22.04.1
14.7-0ubuntu0.22.04.1
14.8-0ubuntu0.22.04.1
14.9-0ubuntu0.22.04.1
14.10-0ubuntu0.22.04.1
14.11-0ubuntu0.22.04.1
14.12-0ubuntu0.22.04.1
14.13-0ubuntu0.22.04.1
14.15-0ubuntu0.22.04.1
14.17-0ubuntu0.22.04.1
14.18-0ubuntu0.22.04.1
14.19-0ubuntu0.22.04.1
14.20-0ubuntu0.22.04.1
14.22-0ubuntu0.22.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "libecpg6",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "libpgtypes3",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "libpq5",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-client-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-doc-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-plperl-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-plpython3-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-pltcl-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
},
{
"binary_name": "postgresql-server-dev-14",
"binary_version": "14.23-0ubuntu0.22.04.1"
}
]
}Ubuntu:24.04:LTS
postgresql-16
Package
- Name
- postgresql-16
- Purl
- pkg:deb/ubuntu/postgresql-16?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.14-0ubuntu0.24.04.1
Affected versions
16.*
16.0-2
16.1-1
16.1-1build1
16.1-1build3
16.2-1
16.2-1ubuntu2
16.2-1ubuntu3
16.2-1ubuntu4
16.3-0ubuntu0.24.04.1
16.4-0ubuntu0.24.04.1
16.4-0ubuntu0.24.04.2
16.6-0ubuntu0.24.04.1
16.8-0ubuntu0.24.04.1
16.9-0ubuntu0.24.04.1
16.10-0ubuntu0.24.04.1
16.11-0ubuntu0.24.04.1
16.13-0ubuntu0.24.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "libecpg6",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "libpgtypes3",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "libpq5",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-client-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-doc-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-plperl-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-plpython3-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-pltcl-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
},
{
"binary_name": "postgresql-server-dev-16",
"binary_version": "16.14-0ubuntu0.24.04.1"
}
]
}Ubuntu:25.10
postgresql-17
Package
- Name
- postgresql-17
- Purl
- pkg:deb/ubuntu/postgresql-17?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed17.10-0ubuntu0.25.10.1
Affected versions
17.*
17.4-1
17.4-2
17.5-1
17.5-1build1
17.6-1
17.6-1build1
17.7-0ubuntu0.25.10.1
17.9-0ubuntu0.25.10.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "libecpg6",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "libpgtypes3",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "libpq5",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-client-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-doc-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-plperl-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-plpython3-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-pltcl-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
},
{
"binary_name": "postgresql-server-dev-17",
"binary_version": "17.10-0ubuntu0.25.10.1"
}
]
}Ubuntu:26.04:LTS
postgresql-18
Package
- Name
- postgresql-18
- Purl
- pkg:deb/ubuntu/postgresql-18?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed18.4-0ubuntu0.26.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "libecpg6",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "libpgtypes3",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "libpq-oauth",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "libpq5",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-18-jit",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-client-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-doc-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-plperl-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-plpython3-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-pltcl-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
},
{
"binary_name": "postgresql-server-dev-18",
"binary_version": "18.4-0ubuntu0.26.04.1"
}
]
}Ubuntu:Pro:14.04:LTS
postgresql-9.3
Package
- Name
- postgresql-9.3
- Purl
- pkg:deb/ubuntu/postgresql-9.3?arch=source&distro=esm-infra-legacy%2Ftrusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
9.*
9.3.1-1
9.3.2-1
9.3.2-1ubuntu1
9.3.2-1ubuntu2
9.3.3-1
9.3.3-1bzr1
9.3.3-1bzr2
9.3.4-1
9.3.5-0ubuntu0.14.04.1
9.3.6-0ubuntu0.14.04
9.3.7-0ubuntu0.14.04
9.3.8-0ubuntu0.4.04
9.3.9-0ubuntu0.14.04
9.3.10-0ubuntu0.14.04
9.3.11-0ubuntu0.14.04
9.3.12-0ubuntu0.14.04
9.3.13-0ubuntu0.14.04
9.3.14-0ubuntu0.14.04
9.3.15-0ubuntu0.14.04
9.3.16-0ubuntu0.14.04
9.3.17-0ubuntu0.14.04
9.3.18-0ubuntu0.14.04.1
9.3.19-0ubuntu0.14.04
9.3.20-0ubuntu0.14.04
9.3.21-0ubuntu0.14.04
9.3.22-0ubuntu0.14.04
9.3.23-0ubuntu0.14.04
9.3.24-0ubuntu0.14.04
9.3.24-0ubuntu0.14.04+esm1
Ecosystem specific
{
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "libecpg6",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "libpgtypes3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "libpq5",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-client-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-contrib-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-doc-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-plperl-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-plpython-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-plpython3-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-pltcl-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
},
{
"binary_name": "postgresql-server-dev-9.3",
"binary_version": "9.3.24-0ubuntu0.14.04+esm1"
}
]
}Ubuntu:Pro:16.04:LTS
postgresql-9.5
Package
- Name
- postgresql-9.5
- Purl
- pkg:deb/ubuntu/postgresql-9.5?arch=source&distro=esm-infra%2Fxenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
9.*
9.5.0-1
9.5.0-2
9.5.0-3
9.5.1-1
9.5.2-1
9.5.3-0ubuntu0.16.04
9.5.4-0ubuntu0.16.04
9.5.5-0ubuntu0.16.04
9.5.6-0ubuntu0.16.04
9.5.7-0ubuntu0.16.04
9.5.8-0ubuntu0.16.04.1
9.5.9-0ubuntu0.16.04
9.5.10-0ubuntu0.16.04
9.5.11-0ubuntu0.16.04
9.5.12-0ubuntu0.16.04
9.5.13-0ubuntu0.16.04
9.5.14-0ubuntu0.16.04
9.5.16-0ubuntu0.16.04.1
9.5.17-0ubuntu0.16.04.1
9.5.18-0ubuntu0.16.04.1
9.5.19-0ubuntu0.16.04.1
9.5.21-0ubuntu0.16.04.1
9.5.23-0ubuntu0.16.04.1
9.5.24-0ubuntu0.16.04.1
9.5.25-0ubuntu0.16.04.1
9.5.25-0ubuntu0.16.04.1+esm1
9.5.25-0ubuntu0.16.04.1+esm2
9.5.25-0ubuntu0.16.04.1+esm3
9.5.25-0ubuntu0.16.04.1+esm4
9.5.25-0ubuntu0.16.04.1+esm5
9.5.25-0ubuntu0.16.04.1+esm6
9.5.25-0ubuntu0.16.04.1+esm7
9.5.25-0ubuntu0.16.04.1+esm8
9.5.25-0ubuntu0.16.04.1+esm10
Ecosystem specific
{
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "libecpg6",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "libpgtypes3",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "libpq5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-client-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-contrib-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-doc-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-plperl-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-plpython-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-plpython3-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-pltcl-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
},
{
"binary_name": "postgresql-server-dev-9.5",
"binary_version": "9.5.25-0ubuntu0.16.04.1+esm10"
}
]
}Ubuntu:Pro:18.04:LTS
postgresql-10
Package
- Name
- postgresql-10
- Purl
- pkg:deb/ubuntu/postgresql-10?arch=source&distro=esm-infra%2Fbionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
10.*
10.1-1
10.1-2
10.2-1
10.3-1
10.4-0ubuntu0.18.04
10.5-0ubuntu0.18.04
10.6-0ubuntu0.18.04.1
10.7-0ubuntu0.18.04.1
10.8-0ubuntu0.18.04.1
10.9-0ubuntu0.18.04.1
10.10-0ubuntu0.18.04.1
10.12-0ubuntu0.18.04.1
10.14-0ubuntu0.18.04.1
10.15-0ubuntu0.18.04.1
10.16-0ubuntu0.18.04.1
10.17-0ubuntu0.18.04.1
10.18-0ubuntu0.18.04.1
10.19-0ubuntu0.18.04.1
10.20-0ubuntu0.18.04.1
10.21-0ubuntu0.18.04.1
10.22-0ubuntu0.18.04.1
10.23-0ubuntu0.18.04.1
10.23-0ubuntu0.18.04.2
10.23-0ubuntu0.18.04.2+esm1
10.23-0ubuntu0.18.04.2+esm2
10.23-0ubuntu0.18.04.2+esm3
Ecosystem specific
{
"binaries": [
{
"binary_name": "libecpg-compat3",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "libecpg6",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "libpgtypes3",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "libpq5",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-client-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-doc-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-plperl-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-plpython-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-plpython3-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-pltcl-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
},
{
"binary_name": "postgresql-server-dev-10",
"binary_version": "10.23-0ubuntu0.18.04.2+esm3"
}
]
}