First Published: 2026/06/22
Important: This is an assessment of the impact of CVE-2026-6475 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Vulnerability details
CVE-ID: CVE-2026-6475
CVE Publish Date: 2026/05/14
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products and versions
PostgreSQL
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14.0
- All versions prior to 15.18.0
- All versions prior to 14.23.0
EnterpriseDB Postgres Extended (PGE)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
CloudNativePG
- All operand versions prior to 18.4
- All operand versions prior to 17.10
- All operand versions prior to 16.14
- All operand versions prior to 15.18
- All operand versions prior to 14.23
WarehousePG
- All 6.x versions prior to 6.27.5
- All 7.2.x versions prior to 7.2.4
- All 7.3.x versions prior to 7.3.2
- All 7.4.x versions prior to 7.4.1
Remediation/fixes
EDB Postgres Extended Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4.0 | 18.4.0 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14 | 16.14 | 2026-05-14 |
| prior to 15.18 | 15.18 | 2026-05-14 |
| prior to 14.23 | 14.23 | 2026-05-14 |
EDB Postgres Advanced Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4 | 18.4 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14.0 | 16.14.0 | 2026-05-14 |
| prior to 15.18.0 | 15.18.0 | 2026-05-14 |
| prior to 14.23.0 | 14.23.0 | 2026-05-14 |
CloudNativePG
Customer should update to the fixed version of the PostgreSQL operands.
WarehousePG
WarehousePG fixes are available in the following versions:
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| All 6.x prior to 6.27.5 | 6.27.5-WHPG | 2026-06-15 |
| All 7.2.x prior to 7.2.4 | 7.2.4-WHPG | 2026-06-15 |
| All 7.3.x prior to 7.3.2 | 7.3.2-WHPG | 2026-06-15 |
| All 7.4.x prior to 7.4.1 | 7.4.1-WHPG | 2026-06-15 |
| Development (main) prior to 7.5.0 | 7.5.0-WHPG | 2026-06-08 |
References
- CVSS Calculator v3.1
- NVD - CVE-2026-6475 Detail
- https://www.postgresql.org/support/security/CVE-2026-6475/
- CWE-61 UNIX Symbolic Link (Symlink) Following
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
22 June 2026: Updated WarehousePG remediation with released fix versions
04 June 2026: Added WarehousePG as an affected product
27 May 2026: Added CloudNativePG as an affected product
14 May 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.