CVE Vulnerabilities

CVE-2026-6475

UNIX Symbolic Link (Symlink) Following

Published: May 14, 2026 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.7 MODERATE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Weakness

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Affected Software

NameVendorStart VersionEnd Version
PostgresqlPostgresql*14.23 (excluding)
PostgresqlPostgresql15.0 (including)15.18 (excluding)
PostgresqlPostgresql16.0 (including)16.14 (excluding)
PostgresqlPostgresql17.0 (including)17.10 (excluding)
PostgresqlPostgresql18.0 (including)18.4 (excluding)
Red Hat Enterprise Linux 10RedHatpostgresql18-0:18.4-1.el10_2*
Red Hat Enterprise Linux 10RedHatpostgresql16-0:16.14-1.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatpostgresql16-0:16.14-1.el10_0*
Red Hat Enterprise Linux 8RedHatpostgresql:15-8100020260605152259.489197e6*
Red Hat Enterprise Linux 8RedHatlibpq-0:13.23-2.el8_10*
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRedHatpostgresql:12-8040020260624104459.522a0ee4*
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRedHatpostgresql:13-8040020260630100922.522a0ee4*
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRedHatpostgresql:12-8040020260624104459.522a0ee4*
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-OnRedHatpostgresql:13-8040020260630100922.522a0ee4*
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRedHatpostgresql:12-8060020260623094704.ad008a3a*
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update SupportRedHatpostgresql:13-8060020260625065744.ad008a3a*
Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-OnRedHatpostgresql:12-8060020260623094704.ad008a3a*
Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-OnRedHatpostgresql:13-8060020260625065744.ad008a3a*
Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRedHatpostgresql:15-8080020260615085052.63b34585*
Red Hat Enterprise Linux 8.8 Telecommunications Update ServiceRedHatpostgresql:12-8080020260626093604.63b34585*
Red Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRedHatpostgresql:15-8080020260615085052.63b34585*
Red Hat Enterprise Linux 8.8 Update Services for SAP SolutionsRedHatpostgresql:12-8080020260626093604.63b34585*
Red Hat Enterprise Linux 9RedHatpostgresql:16-9080020260605131007.rhel9*
Red Hat Enterprise Linux 9RedHatpostgresql:18-9080020260605125734.rhel9*
Red Hat Enterprise Linux 9RedHatpostgresql-0:13.23-3.el9_8*
Red Hat Enterprise Linux 9RedHatpostgresql:15-9080020260605124405.rhel9*
Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRedHatpostgresql-0:13.23-1.el9_2.2*
Red Hat Enterprise Linux 9.2 Update Services for SAP SolutionsRedHatpostgresql:15-9020020260625101129.rhel9*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpostgresql:16-9040020260612132455.rhel9*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpostgresql-0:13.23-1.el9_4.2*
Red Hat Enterprise Linux 9.4 Update Services for SAP SolutionsRedHatpostgresql:15-9040020260616071806.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpostgresql:16-9060020260612084605.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpostgresql-0:13.23-1.el9_6.2*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatpostgresql:15-9060020260622062902.rhel9*
Red Hat Hardened ImagesRedHatpostgresql17-main-17.10-0.1.hum1*
Red Hat Hardened ImagesRedHatpostgresql18-main-18.4-0.1.hum1*
Postgresql-10Ubuntuupstream*
Postgresql-12Ubuntuupstream*
Postgresql-14Ubuntujammy*
Postgresql-16Ubuntunoble*
Postgresql-17Ubuntuquesting*
Postgresql-18Ubuntudevel*
Postgresql-18Ubunturesolute*
Postgresql-9.3Ubuntuupstream*
Postgresql-9.5Ubuntuupstream*

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References