First Published: 2026/06/22
Important: This is an assessment of the impact of CVE-2026-6476 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.
Vulnerability details
CVE-ID: CVE-2026-6476
CVE Publish Date: 2026/05/14
CVSS Base Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products and versions
PostgreSQL
- All versions prior to 18.4
- All versions prior to 17.10
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions prior to 18.4
- All versions prior to 17.10
EnterpriseDB Postgres Extended (PGE)
- All versions prior to 18.4
- All versions prior to 17.10
CloudNativePG
- All operand versions prior to 18.4
- All operand versions prior to 17.10
WarehousePG
WarehousePG is not affected. The vulnerability is in pg_createsubscriber, a utility added in PostgreSQL 17; WarehousePG (6.x and 7.x) is based on earlier PostgreSQL releases and does not ship pg_createsubscriber.
Remediation/fixes
EDB Postgres Extended Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4.0 | 18.4.0 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
EDB Postgres Advanced Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4 | 18.4 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
CloudNativePG
Customer should update to the fixed version of the PostgreSQL operands.
WarehousePG
Not affected. No remediation required.
References
- CVSS Calculator v3.1
- NVD - CVE-2026-6476 Detail
- https://www.postgresql.org/support/security/CVE-2026-6476/
- CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
04 June 2026: Assessed WarehousePG — not affected
27 May 2026: Added CloudNativePG as an affected product
14 May 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.