EDB CVE Assessments

Suggest edits

The CVEs listed in this section are from PostgreSQL and other parties who have reported them and that may have an impact on EDB products.

Released 2026

CVE-2026-6637

  Read Assessment  Published: 2026/06/22

PostgreSQL refint allows stack buffer overflow and SQL injection

PostgreSQL, EDB Postgres Advanced Server, EDB Postgres Extended Server, WarehousePG, and CloudNativePG
Summary:  Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Read More...

CVE-2026-6479

  Read Assessment  Published: 2026/06/22

PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

PostgreSQL, EDB Postgres Advanced Server, EDB Postgres Extended Server, WarehousePG, and CloudNativePG
Summary:  Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Read More...

CVE-2026-6477

  Read Assessment  Published: 2026/06/22

PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

PostgreSQL, EDB Postgres Advanced Server, EDB Postgres Extended Server, WarehousePG, and CloudNativePG
Summary:  Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Read More...

CVE-2026-6476

  Read Assessment  Published: 2026/06/22

PostgreSQL pg_createsubscriber allows SQL injection via subscription name

PostgreSQL, EDB Postgres Advanced Server, EDB Postgres Extended Server, and CloudNativePG
Summary:  SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.
Read More...

CVE-2026-6475

  Read Assessment  Published: 2026/06/22

PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

PostgreSQL, EDB Postgres Advanced Server, EDB Postgres Extended Server, WarehousePG, and CloudNativePG
Summary:  Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Read More...

CVE-2026-6473

  Read Assessment  Published: 2026/06/22

PostgreSQL server undersizes allocations, via integer wraparound

PostgreSQL, EDB Postgres Advanced Server, EDB Postgres Extended Server, WarehousePG, and CloudNativePG
Summary:  Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Read More...

CVE-2026-44477

  Read Assessment  Published: 2026/05/12

Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE

EDB Cloud Service (formerly BigAnimal), Hybrid Manager (HM), EDB Postgres® AI for CloudNativePG™, EDB Postgres® AI for CloudNativePG™ Cluster, EDB Postgres® AI for CloudNativePG™ Global Cluster
Summary:  The CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres.
Read More...

CVE-2026-3172

  Read Assessment  Published: 2026/03/10

pgvector buffer overflow in parallel HNSW index build

EDB Postgres Extended Server, EDB Postgres Advanced Server, EDB Cloud Service (formerly BigAnimal), Hybrid Manager (HM), EDB Postgres® AI for CloudNativePG™, WarehousePG, pgvector versions 0.6.0-0.8.1, aidb, pgpu
Summary:  A buffer overflow in the parallel HNSW (Hierarchical Navigable Small World) index build process in the pgvector extension allows an authenticated database user to issue crafted queries that achieve a buffer overrun. This can lead to the leaking of sensitive data from other relations or a crash of the database server. The vulnerability is specifically triggered during concurrent index construction when multiple worker processes are utilized.
Read More...

CVE-2026-2007

  Read Assessment  Published: 2026/02/12

PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory

Postgresql 18.0 and 18.1, EDB Postgres Extended Server prior to 18.2.0, EDB Postgres Advanced Server prior to 18.2.0
Summary:  Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. Specifically affecting the pg_trgm extension, the vulnerability arises when crafted input causes an overflow, potentially leading to denial of service or privilege escalation.
Read More...

CVE-2026-2006

  Read Assessment  Published: 2026/02/12

PostgreSQL missing validation of multibyte character length executes arbitrary code

All versions of Postgresql prior to 18.2, 17.8, 16.12, 15.16, 14.21, EDB Postgres Extended Server prior to 18.2.0, 17.8.0, 16.12.0, 15.16.0, 14.21.0, EDB Postgres Advanced Server prior to 18.2.0, 17.8.0, 16.12.0, 15.16.0, 14.21.0
Summary:  Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. This can lead to arbitrary code execution as the operating system user running the database.
Read More...

CVE-2026-2005

  Read Assessment  Published: 2026/02/12

PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

All versions of Postgresql prior to 18.2, 17.8, 16.12, 15.16, 14.21, EDB Postgres Extended Server prior to 18.2.0, 17.8.0, 16.12.0, 15.16.0, 14.21.0, EDB Postgres Advanced Server prior to 18.2.0, 17.8.0, 16.12.0, 15.16.0, 14.21.0
Summary:  Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Insufficient validation of ciphertext length and structure before copying decrypted data into heap-allocated buffers leads to memory corruption.
Read More...

CVE-2026-2004

  Read Assessment  Published: 2026/02/12

PostgreSQL intarray extension selectivity estimator executes arbitrary code

All versions of Postgresql prior to 18.2, 17.8, 16.12, 15.16, 14.21, EDB Postgres Extended Server prior to 18.2.0, 17.8.0, 16.12.0, 15.16.0, 14.21.0, EDB Postgres Advanced Server prior to 18.2.0, 17.8.0, 16.12.0, 15.16.0, 14.21.0
Summary:  Improper validation of input types in the PostgreSQL intarray extension allows an object creator to execute arbitrary code as the operating system user running the database server. An authenticated user with object creation privileges can bypass type validation checks in the selectivity estimator function to compromise the underlying host.
Read More...

Released 2025

CVE-2025-8715

  Read Assessment  Updated: 2025/08/14

PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server

All versions of Postgresql prior to 17.6, 16.10, 15.14, 14.19, 13.22 3.x, EDB Postgres Extended Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22, EDB Postgres Advanced Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22
Summary:  Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
Read More...

CVE-2025-8714

  Read Assessment  Updated: 2025/08/14

PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

All versions of Postgresql prior to 17.6, 16.10, 15.14, 14.19, 13.22 3.x, EDB Postgres Extended Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22, EDB Postgres Advanced Server prior to 17.6.0, 16.10.0, 15.14.0, 14.19.0, 13.22
Summary:  Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
Read More...

CVE-2025-46801

  Read Assessment  Updated: 2025/07/04

Pgpool-II Authentication Bypass

All versions of EDB Pool prior to 4.5.1-4, PGPool-II versions prior to 4.6.1, 4.5.7, 4.4.12, 4.3.15, and 4.2.22
Summary:  Pgpool-II contains an authentication bypass vulnerability that can be exploited under certain conditions. If an attacker exploits the vulnerability they may be able to log in to the system as an arbitrary user, which could allow them to read or tamper with data in the database, and/or disable the database.
Read More...

CVE-2025-2291

  Read Assessment  Updated: 2025/04/30

PgBouncer "VALID UNTIL yesterday"

All versions of PGBouncer prior to 1.24.1, TPA prior to 23.38.0, PGAI Cloud Service prior to May 12, 2025
Summary:  In PgBouncer, the auth_query mechanism does not consider the VALID UNTIL attribute set in PostgreSQL for user passwords. This oversight allows users to authenticate using expired passwords, potentially granting unauthorized access. The flaw was fixed in [PgBouncer 1.24.1](https://www.pgbouncer.org/changelog.html#pgbouncer-124x).
Read More...

CVE-2025-12819

  Read Assessment  Updated: 2025/12/15

Arbitrary SQL execution in pgBouncer

All versions of EDB pgBouncer prior to 1.25.1, community and EDB Postgres® AI for CloudNativePG™ versions prior to 1.28.0, 1.27.2, 1.26.3, 1.25.5 and older, EDB Cloud Service versions before the 15th of December 2025 release
Summary:  Untrusted search path in auth_query connection handler in pgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.
Read More...

CVE-2025-1094

  Read Assessment  Updated: 2025/02/15

PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

All versions of PostgreSQL, EPAS and PGE prior to 17.3, 16.7, 15.11, 14.16, and 13.19
Summary:  Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Read More...

Released 2024

CVE-2024-7348

  Read Assessment  Updated: 2024/08/15

PostgreSQL relation replacement during pg_dump executes arbitrary SQL

All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13
Summary:  Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Read More...

CVE-2024-4317

  Read Assessment  Updated: 2024/05/09

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12
Summary:  Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Read More...

CVE-2024-1597

  Read Assessment  Updated: 2024/03/08

SQL Injection via line comment generation

pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5
Summary:  pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Read More...

CVE-2024-0985

  Read Assessment  Updated: 2025/01/31

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0
Summary:  Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Read More...

CVE-2020-10531

  Read Assessment  Updated: 2024/11/14

Integer overflow in ICU doAppend()

All versions of EDB Postgres Advanced Server from 13 through 16
Summary:  The original vulnerability was an integer overflow leading to a heap-based buffer overflow in UnicodeString::doAppend() in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
Read More...

Could this page be better? Report a problem or suggest an addition!