Critical PostgreSQL Flaws Allow Code Execution & SQL

The PostgreSQL Global Development Group has released critical security updates. These patches address 11 vulnerabilities across all supported branches, including arbitrary code execution and several SQL injection flaws.

PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 have been released as security and maintenance updates.

These minor versions address 11 CVEs plus more than 60 bugs reported over the last few months, making this a high‑priority release for production databases.

All supported branches from 14 through 18 are affected by at least some of the issues, so simply running a newer major version does not remove the risk.

Admins can upgrade in place by stopping PostgreSQL and updating binaries; dump/restore, or pg_upgrade is not required for these minor updates.

PostgreSQL Vulnerabilities

Code Execution via refint Module

CVE‑2026‑6637 is one of the most serious bugs, located in the refint module used to enforce referential integrity.

A stack buffer overflow allows an unprivileged database user to execute arbitrary code as the operating system account running PostgreSQL, which means a full server compromise from a database‑level foothold.

A separate attack scenario arises when an application exposes a user‑controlled column as a refint-cascade primary key and allows users to update it.

In this case, a crafted primary key update can trigger SQL injection, allowing the attacker to execute arbitrary SQL with the database privileges of the updating role.

SQL Injection in Replication Components

Logical replication features contain multiple SQL injection paths that can be abused for privilege escalation.

CVE‑2026‑6476 affects pg_createsubscriber and lets an attacker with pg_create_subscription rights inject SQL that runs with superuser privileges when pg_createsubscriber is invoked.

CVE‑2026‑6638 resides in ALTER SUBSCRIPTION … REFRESH PUBLICATION.

A subscriber table creator can craft table names that cause arbitrary SQL to execute using the publication side’s credentials, the next time REFRESH PUBLICATION runs.

According to the latest release from PostgreSQL, these flaws primarily affect PostgreSQL 16–18 environments using logical replication.

Other Critical Memory and Client‑Side Issues

Several vulnerabilities affect memory safety, denial-of-service, and client tools.

CVE‑2026‑6473 describes integer wraparound issues that cause undersized memory allocations and out‑of‑bounds writes, leading to segmentation faults when attackers supply crafted inputs.

CVE‑2026‑6477 affects the libpq client library by allowing unsafe use of PQfn in large-object helper functions such as lo_export() and lo_read().

A server superuser can send oversized responses that overwrite stack memory in client tools like psql and pg_dump, potentially leading to client‑side code execution.

Backup utilities are also impacted: CVE‑2026‑6475 allows pg_basebackup (plain format) and pg_rewind to follow symbolic links and overwrite arbitrary local files chosen by the origin superuser, such as shell profiles.

In addition, PostgreSQL 14 is scheduled to reach end‑of‑life on November 12, 2026, after which it will no longer receive fixes.

Organizations still running 14 should both apply 14.23 now and start planning a migration to a newer supported branch.

Given the combination of code execution, SQL injection, memory corruption, and client‑side risks, these updates should be treated as urgent, especially for internet‑exposed or multi‑tenant PostgreSQL deployments.

Teams should prioritize upgrading to 18.4, 17.10, 16.14, 15.18, or 14.23 and review their use of refint, logical replication, and client tooling as part of their hardening efforts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.