{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6475", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2026-04-17T00:43:21.782Z", "datePublished": "2026-05-14T13:00:11.039Z", "dateUpdated": "2026-05-15T03:56:16.367Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-05-14T13:00:11.039Z"}, "title": "PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice", "descriptions": [{"lang": "en", "value": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "18.4", "status": "affected", "version": "18", "versionType": "rpm"}, {"lessThan": "17.10", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.14", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.18", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.23", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-61", "type": "CWE", "description": "UNIX Symbolic Link (Symlink) Following"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6475/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-14T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-6475"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-15T03:56:16.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-14T15:30:49.750962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T15:31:04.651Z"}}], "cna": {"title": "PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "18", "lessThan": "18.4", "versionType": "rpm"}, {"status": "affected", "version": "17", "lessThan": "17.10", "versionType": "rpm"}, {"status": "affected", "version": "16", "lessThan": "16.14", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.18", "versionType": "rpm"}, {"status": "affected", "version": "0", "lessThan": "14.23", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6475/"}], "descriptions": [{"lang": "en", "value": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-61", "description": "UNIX Symbolic Link (Symlink) Following"}]}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-05-14T13:00:11.039Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6475", "state": "PUBLISHED", "dateUpdated": "2026-05-15T03:56:16.367Z", "dateReserved": "2026-04-17T00:43:21.782Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2026-05-14T13:00:11.039Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "18.4", "status": "affected", "version": "18", "versionType": "rpm"}, {"lessThan": "17.10", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.14", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.18", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.23", "status": "affected", "version": "0", "versionType": "rpm"}]}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "C432AE18-DD50-40EB-B46A-9283F30081DA", "versionEndExcluding": "14.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D8D994F-ABAB-4AC2-992F-320F4868698D", "versionEndExcluding": "15.18", "versionStartIncluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "B58AE3D3-E1C9-45D2-AA92-A3D135B77A8A", "versionEndExcluding": "16.14", "versionStartIncluding": "16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "A19538E9-DBB9-4396-AC04-17943E82C411", "versionEndExcluding": "17.10", "versionStartIncluding": "17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8DB17ED-67AD-41F2-B272-27AF5B4FA2B0", "versionEndExcluding": "18.4", "versionStartIncluding": "18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "id": "CVE-2026-6475", "lastModified": "2026-06-17T11:00:51.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-6475", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2026-05-14T00:00:00+00:00", "version": "2.0.3"}}]}, "published": "2026-05-14T14:16:25.113", "references": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.postgresql.org/support/security/CVE-2026-6475/"}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-61"}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}

{"bugzilla": {"description": "postgresql: PostgreSQL: Operating system account hijack via symlink following in pg_basebackup and pg_rewind", "id": "2477439", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477439"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-59", "details": ["A flaw was found in PostgreSQL. This vulnerability, related to symlink following in pg_basebackup (plain format) and pg_rewind, allows an origin superuser to overwrite local files. By exploiting this, an attacker could potentially hijack the operating system account. This attack has practical implications if specific actions are taken, such as moving files to a different virtual machine (VM) or snapshotting the VM, between the execution of these commands and the server's restart."], "name": "CVE-2026-6475", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "postgresql16", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "postgresql18", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libpq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "postgresql-jdbc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql:15/postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "postgresql:18/postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "postgresql17", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "postgresql18", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-05-14T13:00:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6475\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6475\nhttps://www.postgresql.org/support/security/CVE-2026-6475/"], "statement": "This MODERATE symlink following vulnerability in PostgreSQL's pg_basebackup and pg_rewind allows an origin superuser to overwrite local files. Exploitation requires local access, high privileges (superuser), and specific intermediate actions before server restart. Impact is high to confidentiality, integrity, and availability if exploited. Affects versions before 18.4, 17.10, 16.14, 15.18, and 14.23.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18,18.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17,17.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[16,16.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[15,15.18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,14.23)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "PostgreSQL", "source": "cna", "vendor": "n/a"}, "product": "postgresql", "vendor": "postgresql"}], "created": "2026-05-14T14:45:22.147259+00:00", "updated": "2026-06-04T02:15:03.400687+00:00", "vendors": ["postgresql", "postgresql$PRODUCT$postgresql"]}