First Published: 2026/06/22
Important: This is an assessment of the impact of CVE-2026-6637 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Vulnerability details
CVE-ID: CVE-2026-6637
CVE Publish Date: 2026/05/14
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products and versions
PostgreSQL
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14.0
- All versions prior to 15.18.0
- All versions prior to 14.23.0
EnterpriseDB Postgres Extended (PGE)
- All versions prior to 18.4
- All versions prior to 17.10
- All versions prior to 16.14
- All versions prior to 15.18
- All versions prior to 14.23
CloudNativePG
- All operand versions prior to 18.4
- All operand versions prior to 17.10
- All operand versions prior to 16.14
- All operand versions prior to 15.18
- All operand versions prior to 14.23
WarehousePG
- All 6.x versions prior to 6.27.5
- All 7.2.x versions prior to 7.2.4
- All 7.3.x versions prior to 7.3.2
- All 7.4.x versions prior to 7.4.1
Remediation/fixes
EDB Postgres Extended Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4.0 | 18.4.0 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14 | 16.14 | 2026-05-14 |
| prior to 15.18 | 15.18 | 2026-05-14 |
| prior to 14.23 | 14.23 | 2026-05-14 |
EDB Postgres Advanced Server
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| prior to 18.4 | 18.4 | 2026-05-14 |
| prior to 17.10 | 17.10 | 2026-05-14 |
| prior to 16.14.0 | 16.14.0 | 2026-05-14 |
| prior to 15.18.0 | 15.18.0 | 2026-05-14 |
| prior to 14.23.0 | 14.23.0 | 2026-05-14 |
CloudNativePG
Customer should update to the fixed version of the PostgreSQL operands.
WarehousePG
WarehousePG fixes are available in the following versions:
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| All 6.x prior to 6.27.5 | 6.27.5-WHPG | 2026-06-15 |
| All 7.2.x prior to 7.2.4 | 7.2.4-WHPG | 2026-06-15 |
| All 7.3.x prior to 7.3.2 | 7.3.2-WHPG | 2026-06-15 |
| All 7.4.x prior to 7.4.1 | 7.4.1-WHPG | 2026-06-15 |
| Development (main) prior to 7.5.0 | 7.5.0-WHPG | 2026-06-08 |
References
- CVSS Calculator v3.1
- NVD - CVE-2026-6637 Detail
- https://www.postgresql.org/support/security/CVE-2026-6637/
- CWE-121 Stack-based Buffer Overflow
- CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
22 June 2026: Added WarehousePG as an affected product and recorded released fix versions
27 May 2026: Added CloudNativePG as an affected product
14 May 2026: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.