Postgrex — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/postgrex/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 18 May 2026 17:53:57 +0000Postgrex SQL Injection Vulnerability in Notifications.listen/3 (CVE-2026-32687)https://feed.craftedsignal.io/briefs/2026-05-postgrex-sqli/Mon, 18 May 2026 17:53:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-postgrex-sqli/A SQL injection vulnerability exists in Postgrex versions 0.16.0 to before 0.22.2 within the `Postgrex.Notifications.listen/3` function allowing attackers to execute arbitrary SQL commands on the notifications connection by manipulating the channel name.A SQL injection vulnerability has been identified in the Postgrex library, specifically affecting versions 0.16.0 up to 0.22.2. The vulnerability resides in the Postgrex.Notifications.listen/3 function. The channel argument is directly interpolated into the LISTEN and UNLISTEN SQL commands without proper sanitization, creating an opportunity for attackers to inject arbitrary SQL. This issue could be exploited by any caller who uses a user-influenced channel name without input validation. Successful exploitation could lead to unauthorized data access, modification, or even destruction within the PostgreSQL database. The vulnerability is identified as CVE-2026-32687.

Attack Chain

  1. An attacker crafts a malicious channel name containing SQL injection payloads.
  2. The application calls Postgrex.Notifications.listen/3 or Postgrex.Notifications.unlisten/3 with the malicious channel name.
  3. Postgrex interpolates the unsanitized channel name into a LISTEN or UNLISTEN SQL command.
  4. The injected SQL command is executed on the notifications connection.
  5. The attacker can execute arbitrary SQL commands, such as creating tables, dropping tables, or creating roles.
  6. This can lead to privilege escalation within the database.
  7. Sensitive data can be accessed, modified, or deleted.
  8. The attacker gains control over the application’s database.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-32687) can allow attackers to execute arbitrary SQL commands on the database, potentially leading to unauthorized data access, modification, or destruction. Since the notifications connection runs as the application’s database role, the attacker can read, modify, or destroy any data that the application’s DB role has access to. This could have a severe impact on the application’s functionality and data integrity.

Recommendation

  • Upgrade to Postgrex version 0.22.2 or later to patch the vulnerability.
  • Sanitize user input used as channel names in Postgrex.Notifications.listen/3 and Postgrex.Notifications.unlisten/3 by ensuring it does not contain quotes or null bytes, as recommended in the advisory.
  • Deploy the Sigma rules provided below to detect potential exploitation attempts in your environment.
]]>highthreatsql-injectionvulnerabilitypostgrex