First Published: 2026/06/22
Important: This is an assessment of the impact of CVE-2026-6479 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Vulnerability details
CVE-ID: CVE-2026-6479
CVE Publish Date: 2026/05/14
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products and versions
PostgreSQL
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14.0
- All versions prior to 15.18.0
- All versions prior to 14.23.0
EnterpriseDB Postgres Extended (PGE)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
CloudNativePG
- All operand versions prior to 18.4
- All operand versions prior to 17.10
- All operand versions prior to 16.14
- All operand versions prior to 15.18
- All operand versions prior to 14.23
WarehousePG
WarehousePG 6.x is not affected: the SSL/GSS negotiation code path that triggers the uncontrolled recursion is not present in the 6.x line.
- All 7.2.x versions prior to 7.2.4
- All 7.3.x versions prior to 7.3.2
- All 7.4.x versions prior to 7.4.1
Remediation/fixes
EDB Postgres Extended Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4.0 | 18.4.0 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14 | 16.14 | 2026-05-14 |
| prior to 15.18 | 15.18 | 2026-05-14 |
| prior to 14.23 | 14.23 | 2026-05-14 |
EDB Postgres Advanced Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4 | 18.4 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14.0 | 16.14.0 | 2026-05-14 |
| prior to 15.18.0 | 15.18.0 | 2026-05-14 |
| prior to 14.23.0 | 14.23.0 | 2026-05-14 |
CloudNativePG
Customer should update to the fixed version of the PostgreSQL operands.
WarehousePG
WarehousePG 6.x is not affected. WarehousePG 7.x fixes are available in the following versions:
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| All 7.2.x prior to 7.2.4 | 7.2.4-WHPG | 2026-06-15 |
| All 7.3.x prior to 7.3.2 | 7.3.2-WHPG | 2026-06-15 |
| All 7.4.x prior to 7.4.1 | 7.4.1-WHPG | 2026-06-15 |
| Development (main) prior to 7.5.0 | 7.5.0-WHPG | 2026-06-08 |
References
- CVSS Calculator v3.1
- NVD - CVE-2026-6479 Detail
- https://www.postgresql.org/support/security/CVE-2026-6479/
- CWE-674 Uncontrolled Recursion
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
22 June 2026: Updated WarehousePG remediation with released fix versions
04 June 2026: Added WarehousePG (7.x affected; 6.x not affected)
27 May 2026: Added CloudNativePG as an affected product
14 May 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.