PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

CVE	CVE-2026-6472
State	PUBLISHED
Assigner	PostgreSQL
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-14 14:16:24 UTC
Updated	2026-05-14 16:21:23 UTC
Description	Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Primary CVSS: v3.1 5.4 MEDIUM from f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem Types: CWE-862 | CWE-862 Missing Authorization

Version	Source	Type	Score	Severity	Vector
3.1	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	Secondary	5.4	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N`
3.1	CNA	CVSS	5.4	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Source	Vendor	Product	Version	Platforms
CNA	Na	PostgreSQL	affected 18 18.4 rpm	Not specified
CNA	Na	PostgreSQL	affected 17 17.10 rpm	Not specified
CNA	Na	PostgreSQL	affected 16 16.14 rpm	Not specified
CNA	Na	PostgreSQL	affected 15 15.18 rpm	Not specified
CNA	Na	PostgreSQL	affected 14.23 rpm	Not specified

Reference	Source	Link	Tags
www.postgresql.org/support/security/CVE-2026-6472	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	www.postgresql.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem. (en)

There are currently no legacy QID mappings associated with this CVE.