Home

Description

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

PUBLISHED Reserved 2026-04-17 | Published 2026-05-14 | Updated 2026-05-14 | Assigner PostgreSQL




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

Missing Authorization

Credits

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

References

www.postgresql.org/support/security/CVE-2026-6472/

cve.org (CVE-2026-6472)

nvd.nist.gov (CVE-2026-6472)

Download JSON