PostgreSQL up to 18.3 .bashrc shared_preload_libraries symlink

Summaryinfo

A vulnerability was found in PostgreSQL up to 14.22/15.17/16.13/17.9/18.3. It has been classified as critical. Affected is the function shared_preload_libraries in the library /var/lib/postgres/.bashrc. Performing a manipulation results in symlink. This vulnerability is cataloged as CVE-2026-6475. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical has been found in PostgreSQL up to 14.22/15.17/16.13/17.9/18.3. This affects the function shared_preload_libraries in the library /var/lib/postgres/.bashrc. The manipulation with an unknown input leads to a symlink vulnerability. CWE is classifying the issue as CWE-61. The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

It is possible to read the advisory at postgresql.org. This vulnerability is uniquely identified as CVE-2026-6475 since 04/17/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 315292 (SUSE SLES12 Security Update : postgresql18 (SUSE-SU-2026:1946-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 14.23, 15.18, 16.14, 17.10 or 18.4 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (315292) and CERT Bund (WID-SEC-2026-1544). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Debian Linux
• Ubuntu Linux
• SUSE Linux
• SUSE openSUSE
• Open Source PostgreSQL

Productinfo

Type

• Database Software

Name

• PostgreSQL

Version

• 14.0
• 14.1
• 14.2
• 14.3
• 14.4
• 14.5
• 14.6
• 14.7
• 14.8
• 14.9
• 14.10
• 14.11
• 14.12
• 14.13
• 14.14
• 14.15
• 14.16
• 14.17
• 14.18
• 14.19
• 14.20
• 14.21
• 14.22
• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 16.0
• 16.1
• 16.2
• 16.3
• 16.4
• 16.5
• 16.6
• 16.7
• 16.8
• 16.9
• 16.10
• 16.11
• 16.12
• 16.13
• 17.0
• 17.1
• 17.2
• 17.3
• 17.4
• 17.5
• 17.6
• 17.7
• 17.8
• 17.9
• 18.0
• 18.1
• 18.2
• 18.3

License

• open-source

Website

• Product: https://www.postgresql.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion