PostgreSQL 18.4 Released: 11 Security CVEs Fixed Including SQL Injection in Logical Replication and MD5 Timing Attack
The PostgreSQL Global Development Group released versions 18.4, 17.10, 16.14, 15.18, and 14.23 on May 14, patching 11 security vulnerabilities and over 60 bug fixes. Critical patches address SQL injection in the logical replication system, an MD5 password timing channel, and an SSL/GSS recursion denial-of-service vector.
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 shipped on May 14, 2026 — a coordinated security release fixing 11 CVEs across all supported major versions plus over 60 non-security bug fixes. Any team running self-managed PostgreSQL needs to treat this as an urgent upgrade, particularly if logical replication is in use.
The three CVEs that matter most
SQL injection in logical replication (CVSS TBD — treat as High): An ALTER SUBSCRIPTION … REFRESH PUBLICATION command executed by a subscription table creator can be manipulated to run arbitrary SQL with the credentials of the publication side. In a multi-tenant or federated architecture where subscriptions span trust boundaries, this is directly exploitable by a low-privilege subscription owner to execute code under a more-privileged publication role. The fix restricts the identifier quoting path in the replication refresh handler. If you run logical replication between schemas or databases with different privilege levels, patch immediately.
MD5 password timing channel: A covert timing side-channel in the MD5 password authentication path allows an attacker with repeated query access to incrementally recover password hashes. This does not affect the default scram-sha-256 authentication method introduced in PostgreSQL 10. If your pg_hba.conf still uses md5 for any connection (common in legacy deployments and managed migration scenarios), this CVE applies to you. The fix normalizes comparison timing. Upgrade and migrate authentication to scram-sha-256.
Uncontrolled SSL/GSS recursion (DoS): A malformed client handshake can trigger uncontrolled recursion in the SSL or GSS authentication handler over both TCP and Unix socket connections. This allows an unauthenticated remote attacker to crash the PostgreSQL backend process, resulting in a denial of service for all connections. Severity depends on your network exposure: instances accessible from untrusted networks are at higher risk. The fix adds recursion depth guards to the authentication handshake stack.
Additional patches
Beyond the three critical issues: path traversal vulnerabilities in pg_basebackup and pg_rewind that could allow privilege escalation during backup and failover operations, and buffer overflows in several contrib modules. These are lower severity but still warrant patching.
How to upgrade
For package-managed deployments (apt, yum, brew):
# Debian/Ubuntu
sudo apt update && sudo apt install postgresql-18
# RHEL/Fedora
sudo dnf update postgresql
# macOS (Homebrew)
brew upgrade postgresql@18Managed cloud databases (AWS RDS, GCP Cloud SQL, Azure Database for PostgreSQL, Supabase): these providers apply minor version patches during maintenance windows. Verify your minor version in the console. If you’re not on 18.4 / 17.10 / 16.14 / 15.18 / 14.23 yet, check your provider’s patching timeline or trigger a manual minor version upgrade.
No dump/restore is needed for minor version upgrades. A service restart with the new binaries is sufficient.
PostgreSQL 14 reaches end of life in November 2026. If you’re running 14.23, this is an appropriate moment to schedule a major version upgrade to 16 or 17.