Primary

Context

PostgreSQL Missing Authorization in CREATE TYPE Vulnerability Allows Query Hijacking

Vulnerability

Patched

A vulnerability exists in PostgreSQL versions prior to 18.4, 17.10, 16.14, 15.18, and 14.23, where the CREATE TYPE command lacks proper authorization checks. This flaw enables an object creator to intercept and manipulate other queries that rely on the search_path to locate user-defined types, including those defined by extensions. As a result, the targeted queries may execute arbitrary SQL functions specified by the attacker.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of SQL functions, potentially allowing for manipulation of data or database objects.

Remediation

Users can upgrade to PostgreSQL versions 18.4, 17.10, 16.14, 15.18, or 14.23 to address this vulnerability.

Added: May 14, 2026, 2:25 PM

Updated: May 14, 2026, 2:25 PM

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

4.2

remediation

7.7

relevance

7.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

4.2

remediation

7.7

relevance

7.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PostgreSQL Missing Authorization in CREATE TYPE Vulnerability Allows Query Hijacking

Vulnerability

Impact

Remediation

Affected Products

PostgreSQL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating