Vulnerability Description
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Postgresql | Postgresql | < 14.23 |
Related Weaknesses (CWE)
References
- https://www.postgresql.org/support/security/CVE-2026-6475/PatchVendor Advisory
FAQ
What is CVE-2026-6475?
CVE-2026-6475 is a vulnerability with a CVSS score of 8.8 (HIGH). Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system accoun...
How severe is CVE-2026-6475?
CVE-2026-6475 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6475?
Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql.