CVE-2026-6638 LOW

CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

Vendor N/A

Product PostgreSQL

Weakness CWE-89 · SQLi

Published May 14, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

Key dates

02Disclosure timeline

May 14, 2026 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-6638 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2026-6638

CWE CWE-89

CVSS 3.7 / LOW

Affected versions

Vendor N/A

Product PostgreSQL

Affected ≥ 18 and < 18.4

Vendor N/A

Product PostgreSQL

Affected ≥ 17 and < 17.10

Vendor N/A

Product PostgreSQL

Affected ≥ 16 and < 16.14

CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

01Description

02Disclosure timeline

03References

04Related CVE