Cyber Resilience

CVE-2026-6637

High

Published: 14 May 2026

Published
14 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 29.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6637 is a high-severity SQL Injection (CWE-89) vulnerability in Postgresql Postgresql. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade…

more

primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow and SQL injection in PostgreSQL refint module directly enable remote exploitation of a public-facing DB server (T1190) and privilege escalation from DB user to OS process owner (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6476Same product: Postgresql Postgresql
CVE-2026-2007Same product: Postgresql Postgresql
CVE-2026-2004Same product: Postgresql Postgresql
CVE-2026-2006Same product: Postgresql Postgresql
CVE-2026-6473Same product: Postgresql Postgresql
CVE-2026-2005Same product: Postgresql Postgresql
CVE-2026-6477Same product: Postgresql Postgresql
CVE-2026-6475Same product: Postgresql Postgresql
CVE-2026-6479Same product: Postgresql Postgresql
CVE-2026-27470Shared CWE-89

Affected Assets

postgresql
postgresql
≤ 14.23 · 15.0 — 15.18 · 16.0 — 16.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References