CVE-2026-6637

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.postgresql.org/support/security/CVE-2026-6637/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::

History

18 May 2026, 15:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:postgresql:postgresql::::::::
First Time		Postgresql Postgresql postgresql
References	~~() https://www.postgresql.org/support/security/CVE-2026-6637/ -~~	() https://www.postgresql.org/support/security/CVE-2026-6637/ - Patch, Vendor Advisory

14 May 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-14 14:16

Updated : 2026-05-18 15:05

NVD link : CVE-2026-6637

Mitre link : CVE-2026-6637

CVE.ORG link : CVE-2026-6637

JSON object : View

Products Affected

postgresql

postgresql

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2026-6637", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-05-14T14:16:25.820", "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6637/", "tags": ["Patch", "Vendor Advisory"], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "Stack buffer overflow in PostgreSQL module \"refint\" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a \"refint\" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "lastModified": "2026-05-18T15:05:21.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C432AE18-DD50-40EB-B46A-9283F30081DA", "versionEndExcluding": "14.23"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D8D994F-ABAB-4AC2-992F-320F4868698D", "versionEndExcluding": "15.18", "versionStartIncluding": "15.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B58AE3D3-E1C9-45D2-AA92-A3D135B77A8A", "versionEndExcluding": "16.14", "versionStartIncluding": "16.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A19538E9-DBB9-4396-AC04-17943E82C411", "versionEndExcluding": "17.10", "versionStartIncluding": "17.0"}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8DB17ED-67AD-41F2-B272-27AF5B4FA2B0", "versionEndExcluding": "18.4", "versionStartIncluding": "18.0"}], "operator": "OR"}]}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}