CVE-2026-6476

HIGH7.2EPSS 0.03%

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

Published: 5/14/2026Modified: 5/19/2026

Also known as:ALPINE-CVE-2026-6476

Description

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

Affected packages (5)

Alpine/postgresql17from 0, < 17.10-r0
Alpine/postgresql18from 0, < 18.4-r0
Bitnami/postgresql>= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
Debian/postgresql-17from 0, < 17.10-0+deb13u1
Debian/postgresql-18from 0, < 18.4-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-6476
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-6476
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-6476
WEBhttps://www.postgresql.org/support/security/CVE-2026-6476/