The world's most popular open-source database just dropped its biggest security update of the year — and if you haven't patched yet, attackers may already be eyeing your stack.
The PostgreSQL Global Development Group shipped simultaneous security updates across every supported major version — 18.4, 17.10, 16.14, 15.18, and 14.23 — fixing 11 CVEs (Common Vulnerabilities and Exposures) and more than 60 additional bugs. Three of those CVEs carry a CVSS score of 8.8 out of 10, meaning they're rated "high severity" and exploitable by a low-privilege remote attacker with minimal friction.
The Flaws That Matter Most
The headline vulnerability is CVE-2026-6637, a stack buffer overflow buried inside PostgreSQL's refint contrib module — a built-in tool for enforcing referential integrity between tables. Any unprivileged database user can craft input to trigger the overflow and run arbitrary code as the operating system user running the database. That's a full server compromise from a regular user account.
Equally alarming is CVE-2026-6473: integer wraparound across multiple PostgreSQL server features lets an attacker force the server to allocate undersized memory blocks, then write beyond their boundaries — leading to segmentation faults and, in the worst case, memory corruption. Ten independent security researchers reported this one, which is a signal that it was being actively probed.
Then there's a subtler threat: CVE-2026-6478, a covert timing channel in how PostgreSQL compares MD5-hashed passwords during authentication. An attacker can measure the tiny time differences in password comparisons to reconstruct valid credentials — without ever getting a login error. The catch: this only affects databases that still use MD5 passwords, a legacy format inherited from upgrades from PostgreSQL 13 or earlier. The current default, scram-sha-256, is immune. If you're on an upgraded cluster, check your pg_authid table.
Logical Replication and Symlink Tricks
Two more vulnerabilities deserve attention for production deployments. CVE-2026-6638 allows SQL injection via the ALTER SUBSCRIPTION ... REFRESH PUBLICATION command, giving a subscriber table creator the ability to execute arbitrary SQL using the publication side's credentials — a serious risk for anyone running logical replication (a method of selectively streaming database changes between servers) across trust boundaries.
Meanwhile, CVE-2026-6475 exploits symlink following in pg_basebackup and pg_rewind, letting a superuser on the origin server overwrite sensitive OS-level files — such as .bashrc — on the backup target, potentially hijacking the operating system account during failover operations.
What You Should Do Right Now
The update process is straightforward: no database dump or schema migration is required. Stop PostgreSQL, replace the binaries, restart. That's it.
- Linux (Debian/Ubuntu):
sudo apt update && sudo apt install postgresql-17 - RHEL/Fedora:
sudo dnf update postgresql - macOS (Homebrew):
brew upgrade postgresql@17
For managed cloud databases (AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL), minor version patches roll out during maintenance windows. Log into your console now and verify you're on the patched release — or trigger a manual upgrade if your provider supports it.
This update also serves as a final warning shot for teams running PostgreSQL 14: the version reaches end-of-life on November 12, 2026, after which it will receive no further security fixes. Version 14.23 is the last patch you'll see. If production workloads are still on 14, treat this upgrade cycle as the deadline to migrate to PostgreSQL 16 or 17.
PostgreSQL powers infrastructure at companies ranging from Apple and Instagram to the majority of cloud-native SaaS platforms. A database this deeply embedded in the internet's plumbing is exactly the kind of target that threat actors monitor closely. The 60+ bug fixes bundled alongside these CVEs make patching a double win — security and stability in a single restart.