The PostgreSQL Global Development Group (PGDG) takes security seriously. This allows our users to place their trust in PostgreSQL for protecting their mission-critical data.
The PostgreSQL Global Development Group follows a model that shares responsibility between PostgreSQL itself and its deployment environment, including hardware, operating system, and the application layer (programming language, frameworks and client libraries). The PostgreSQL documentation provides info on the inherent security features of PostgreSQL and how to securely configure and run PostgreSQL.
Security vulnerabilities can exist both in PostgreSQL and software within the PostgreSQL ecosystem, including client libraries, extensions, installers, and other utilities. This page walks through what is considered a security vulnerability in PostgreSQL, how to report PostgreSQL security vulnerabilities, and how fixes for security vulnerabilities are released.
Please note that the PostgreSQL Project does not offer bug bounties.
The PostgreSQL Project is a CVE Numbering Authority (CNA), working with Red Hat as our CNA Root. This allows us to assign our own CVE numbers and publish CVE records for PostgreSQL and closely related projects.
We will currently assign CVE numbers for the following projects upon request to cna@postgresql.org:
Additional projects may request inclusion on the list above by emailing cna@postgresql.org.
NOTE: The security team will only assign CVEs to projects when requested by members of the project. If you think you've found a security issue in a project other than PostgreSQL or it's packages and installers, please contact the security team for that project. See below for more details.
A security vulnerability in PostgreSQL is an issue that allows a user to gain access to privileges or data that they do not have permission to use, or allows a user to execute arbitrary code through a PostgreSQL process.
The PostgreSQL Security Team does not consider reports on actions a PostgreSQL superuser takes to be a security vulnerability. However, a report on an unprivileged user escalating to superuser generally qualifies as valid.
The PostgreSQL Security Team typically does not consider a denial-of-service on a PostgreSQL server from an authenticated, valid SQL statement to be a security vulnerability. A denial-of-service issue of this nature could still be a bug, and we encourage you to report it on the Report a Bug page.
Please do not report the lack of DMARC on postgresql.org mailing lists. This is by design.
For security vulnerabilities in PostgreSQL or any of the installers linked from the PostgreSQL download page, please email security@postgresql.org.
For reporting non-security bugs, please visit the Report a Bug page.
If you are unsure if an issue is a security vulnerability, please err on the side of caution and email security@postgresql.org.
Please see below for how you can report security vulnerabilities in PostgreSQL-related projects:
The PostgreSQL Project releases security fixes as part of minor version updates. You are always advised to use the latest minor version available, as it will contain other non-security related fixes.
A new PostgreSQL major release, which contains new features, has every prior security fix.
If you find a security vulnerability in PostgreSQL, the PostgreSQL Security Team will credit you in the release notes and register a CVE for the vulnerability. Please do not register a CVE independently of the PostgreSQL Security Team.
To receive notifications about security releases or other security related news, you can subscribe to the pgsql-announce mailing list. If you set your subscription to only include the tag Security, it will exclude all other announcements that are sent to this list.
The PostgreSQL Global Development Group believes that accuracy, completeness and availability of security information is essential for our users. We choose to pool all information on this one page, allowing easy searching for security vulnerabilities over a range of criteria. This includes:
You can find more detailed information about a security vulnerability by clicking on the links in the table below.
You can filter the view of patches to show just patches for version:
17 -
16 -
15 -
14 -
13
- all
| Reference | Affected | Fixed | Component & CVSS v3 Base Score | Description |
|---|---|---|---|---|
|
CVE-2025-4207 Announcement |
17, 16, 15, 14, 13 | 17.5, 16.9, 15.13, 14.18, 13.21 | core server 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation more details |
|
CVE-2025-1094 Announcement |
17, 16, 15, 14, 13 | 17.3, 16.7, 15.11, 14.16, 13.19 | client 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation more details |
|
CVE-2024-10979 Announcement |
17, 16, 15, 14, 13 | 17.1, 16.5, 15.9, 14.14, 13.17 | core server 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
PostgreSQL PL/Perl environment variable changes execute arbitrary code more details |
|
CVE-2024-10978 Announcement |
17, 16, 15, 14, 13 | 17.1, 16.5, 15.9, 14.14, 13.17 | core server 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID more details |
|
CVE-2024-10977 Announcement |
17, 16, 15, 14, 13 | 17.1, 16.5, 15.9, 14.14, 13.17 | client 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
PostgreSQL libpq retains an error message from man-in-the-middle more details |
|
CVE-2024-10976 Announcement |
17, 16, 15, 14, 13 | 17.1, 16.5, 15.9, 14.14, 13.17 | core server 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
PostgreSQL row security below e.g. subqueries disregards user ID changes more details |
|
CVE-2024-7348 Announcement |
16, 15, 14, 13 | 16.4, 15.8, 14.13, 13.16 | core server 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
PostgreSQL relation replacement during pg_dump executes arbitrary SQL more details |
|
CVE-2024-4317 Announcement |
16, 15, 14 | 16.3, 15.7, 14.12 | core server 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner more details |
|
CVE-2024-0985 Announcement |
16, 15, 14, 13 | 16.2, 15.6, 14.11, 13.14 | core server 8.0 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL more details |
|
CVE-2023-39418 Announcement |
15 | 15.4 | core server 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
MERGE fails to enforce UPDATE or SELECT row security policies more details |
|
CVE-2023-39417 Announcement |
15, 14, 13 | 15.4, 14.9, 13.12 | core server 7.5 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Extension script @substitutions@ within quoting allow SQL injection more details |
|
CVE-2023-5870 Announcement |
16, 15, 14, 13 | 16.1, 15.5, 14.10, 13.13 | core server 2.2 AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L |
Role "pg_signal_backend" can signal certain superuser processes more details |
|
CVE-2023-5869 Announcement |
16, 15, 14, 13 | 16.1, 15.5, 14.10, 13.13 | core server 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Buffer overrun from integer overflow in array modification more details |
|
CVE-2023-5868 Announcement |
16, 15, 14, 13 | 16.1, 15.5, 14.10, 13.13 | core server 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Memory disclosure in aggregate function calls more details |
|
CVE-2023-2455 Announcement |
15, 14, 13 | 15.3, 14.8, 13.11 | core server 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
Row security policies disregard user ID changes after inlining more details |
|
CVE-2023-2454 Announcement |
15, 14, 13 | 15.3, 14.8, 13.11 | core server 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CREATE SCHEMA ... schema_element defeats protective search_path changes more details |
|
CVE-2022-41862 Announcement |
15, 14, 13 | 15.2, 14.7, 13.10 | client 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Client memory disclosure when connecting, with Kerberos, to modified server more details |
|
CVE-2022-2625 Announcement |
14, 13 | 14.5, 13.8 | core server 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
Extension scripts replace objects not belonging to the extension more details |
|
CVE-2022-1552 Announcement |
14, 13 | 14.3, 13.7 | core server 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Autovacuum, REINDEX, and others omit "security restricted operation" sandbox more details |
|
CVE-2021-32029 Announcement |
13 | 13.3 | core server 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Memory disclosure in partitioned-table UPDATE ... RETURNING more details |
|
CVE-2021-32028 Announcement |
13 | 13.3 | core server 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE more details |
|
CVE-2021-32027 Announcement |
13 | 13.3 | core server 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Buffer overrun from integer overflow in array subscripting calculations more details |
|
CVE-2021-23222 Announcement |
14, 13 | 14.1, 13.5 | client 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
libpq processes unencrypted bytes from man-in-the-middle more details |
|
CVE-2021-23214 Announcement |
14, 13 | 14.1, 13.5 | core server 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Server processes unencrypted bytes from man-in-the-middle more details |
|
CVE-2021-20229 Announcement |
13 | 13.2 | core server 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Single-column SELECT privilege enables reading all columns more details |
|
CVE-2021-3677 Announcement |
13 | 13.4 | core server 6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Memory disclosure in certain queries more details |
|
CVE-2021-3393 Announcement |
13 | 13.2 | core server 3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Partition constraint violation errors leak values of denied columns more details |
|
CVE-2020-25696 Announcement |
13 | 13.1 | client 7.5 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
psql's \gset allows overwriting specially treated variables more details |
|
CVE-2020-25695 Announcement |
13 | 13.1 | core server 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Multiple features escape "security restricted operation" sandbox more details |
|
CVE-2020-25694 Announcement |
13 | 13.1 | client 8.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Reconnection can downgrade connection security settings more details |
You can also view archived security patches for unsupported versions. Note that no further
security patches are made available for these versions as they are end of life.
12 -
11 -
10 -
9.6 -
9.5 -
9.4 -
9.3 -
9.2 -
9.1 -
9.0 -
8.4 -
8.3 -
8.2 -
8.1 -
8.0 -
7.4 -
7.3
The following component references are used in the above table:
| Component | Description |
|---|---|
| core server | This vulnerability exists in the core server product. |
| client | This vulnerability exists in a client library or client application only. |
| contrib module | This vulnerability exists in a contrib module. Contrib modules are not installed by default when PostgreSQL is installed from source. They may be installed by binary packages. |
| client contrib module | This vulnerability exists in a contrib module used on the client only. |
| packaging | This vulnerability exists in PostgreSQL binary packaging, e.g. an installer or RPM. |
The PostgreSQL Security Team is made up of a group of contributors to the PostgreSQL project who have experience in different aspects of database and information security.
You can find a list of members on the security team here:
| 阴阳人是什么意思 | 尔昌尔炽什么意思 | 什么是中产阶级 | 记忆力差是什么原因 | 麦冬有什么作用 |
| 肠粉为什么叫肠粉 | 肌腱炎是什么症状 | 苟不教的苟是什么意思 | trance什么意思 | 什么是手足口病 |
| 综合内科是看什么病 | 士官是什么 | 咳嗽有白痰一直不好是什么原因 | 膝盖疼吃什么药好 | 总ige是什么意思 |
| 标新立异是什么意思 | 巴沙鱼为什么不能吃 | 七宗罪分别是什么 | 什么蔬菜补钾 | 前轮轴承坏了会有什么症状 |
| 女生自慰是什么感觉hcv9jop6ns4r.cn | 什么是毛囊炎hcv9jop8ns0r.cn | 腹泻可以吃什么hcv9jop8ns2r.cn | 花园里面有什么hcv8jop1ns7r.cn | g18k金是什么意思hcv9jop2ns8r.cn |
| 鱿鱼是什么动物hcv8jop8ns5r.cn | 水乳是什么hcv8jop9ns3r.cn | 内内是什么意思hcv8jop5ns6r.cn | 腺样体面容是什么意思hcv8jop9ns8r.cn | 驻外大使是什么级别hcv9jop7ns0r.cn |
| 七宗罪分别是什么hcv8jop9ns6r.cn | 11月9号是什么星座hcv7jop5ns1r.cn | 脚肿是什么原因hcv8jop4ns2r.cn | 11月8日是什么星座xinjiangjialails.com | 肚子疼吃什么药hcv9jop3ns6r.cn |
| 什么水果是碱性的hcv9jop0ns5r.cn | 八七年属什么的wzqsfys.com | 子宫回声欠均匀是什么意思hcv8jop5ns3r.cn | 舌自心念什么hcv8jop5ns3r.cn | 1月21号什么星座hcv9jop0ns2r.cn |