JLSEC-2026-603

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-603.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-603.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2026-603
Upstream
  • CVE-2026-6475
Published
2026-06-08T13:54:13.679Z
Modified
2026-06-08T14:00:04.356638285Z
Summary
[none]
Details

Symlink following in PostgreSQL pgbasebackup plain format and in pgrewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like sharedpreloadlibraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Database specific 
{
    "sources": [
        {
            "modified": "2026-05-18T15:02:12.483Z",
            "id": "CVE-2026-6475",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6475",
            "published": "2026-05-14T14:16:25.113Z",
            "imported": "2026-06-08T13:34:09.630Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-6475",
            "database_specific": {
                "status": "Analyzed"
            }
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / LibPQ_jll

Package

Name
LibPQ_jll
Purl
pkg:julia/LibPQ_jll?uuid=08be9ffa-1c94-5ee5-a977-46a84ec9b350

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
16.14.0+0

Database specific

source 
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-603.json"