CVE-2026-6472

EUVD-2026-30282
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types.  That is to say, the victim will execute arbitrary SQL functions of the attacker's choice.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
vulnerable
bullseye (security)
vulnerable
postgresql-15
bookworm
vulnerable
bookworm (security)
15.18-0+deb12u1
fixed
postgresql-17
trixie
vulnerable
trixie (security)
17.10-0+deb13u1
fixed
postgresql-18
forky
vulnerable
sid
18.4-1
fixed
Common Weakness Enumeration
References
https://www.postgresql.org/support/security/CVE-2026-6472/