CVE-2026-6472

Description

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

How to fix CVE-2026-6472

To remediate CVE-2026-6472, upgrade the affected package to a fixed version below.

• —upgrade to 15.18-r0 or later
• —upgrade to 16.14-r0 or later
• —upgrade to 17.10-r0 or later
• —upgrade to 18.4-r0 or later
• —upgrade to 14.23.0 or later
• —no fix listed
• —upgrade to 15.18-0+deb12u1 or later
• —upgrade to 17.10-0+deb13u1 or later
• —upgrade to 18.4-1 or later

Is CVE-2026-6472 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (9)

• from 0, < 15.18-r0
• from 0, < 16.14-r0
• from 0, < 17.10-r0
• from 0, < 18.4-r0
• from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• from 0
• from 0, < 15.18-0+deb12u1
• from 0, < 17.10-0+deb13u1
• from 0, < 18.4-1

CVSS scores

References (4)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-6472
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-6472
• WEBnvd.nist.gov/vuln/detail/CVE-2026-6472
• WEBwww.postgresql.org/support/security/CVE-2026-6472/