{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/postgrex/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-32687"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["postgrex"],"_cs_severities":["high"],"_cs_tags":["sql-injection","vulnerability","postgrex"],"_cs_type":"threat","_cs_vendors":["erlang"],"content_html":"\u003cp\u003eA SQL injection vulnerability has been identified in the Postgrex library, specifically affecting versions 0.16.0 up to 0.22.2. The vulnerability resides in the \u003ccode\u003ePostgrex.Notifications.listen/3\u003c/code\u003e function. The \u003ccode\u003echannel\u003c/code\u003e argument is directly interpolated into the \u003ccode\u003eLISTEN\u003c/code\u003e and \u003ccode\u003eUNLISTEN\u003c/code\u003e SQL commands without proper sanitization, creating an opportunity for attackers to inject arbitrary SQL. This issue could be exploited by any caller who uses a user-influenced channel name without input validation. Successful exploitation could lead to unauthorized data access, modification, or even destruction within the PostgreSQL database. The vulnerability is identified as CVE-2026-32687.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious channel name containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003ePostgrex.Notifications.listen/3\u003c/code\u003e or \u003ccode\u003ePostgrex.Notifications.unlisten/3\u003c/code\u003e with the malicious channel name.\u003c/li\u003e\n\u003cli\u003ePostgrex interpolates the unsanitized channel name into a \u003ccode\u003eLISTEN\u003c/code\u003e or \u003ccode\u003eUNLISTEN\u003c/code\u003e SQL command.\u003c/li\u003e\n\u003cli\u003eThe injected SQL command is executed on the notifications connection.\u003c/li\u003e\n\u003cli\u003eThe attacker can execute arbitrary SQL commands, such as creating tables, dropping tables, or creating roles.\u003c/li\u003e\n\u003cli\u003eThis can lead to privilege escalation within the database.\u003c/li\u003e\n\u003cli\u003eSensitive data can be accessed, modified, or deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the application\u0026rsquo;s database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-32687) can allow attackers to execute arbitrary SQL commands on the database, potentially leading to unauthorized data access, modification, or destruction. Since the notifications connection runs as the application\u0026rsquo;s database role, the attacker can read, modify, or destroy any data that the application\u0026rsquo;s DB role has access to. This could have a severe impact on the application\u0026rsquo;s functionality and data integrity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Postgrex version 0.22.2 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eSanitize user input used as channel names in \u003ccode\u003ePostgrex.Notifications.listen/3\u003c/code\u003e and \u003ccode\u003ePostgrex.Notifications.unlisten/3\u003c/code\u003e by ensuring it does not contain quotes or null bytes, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:53:57Z","date_published":"2026-05-18T17:53:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-postgrex-sqli/","summary":"A SQL injection vulnerability exists in Postgrex versions 0.16.0 to before 0.22.2 within the `Postgrex.Notifications.listen/3` function allowing attackers to execute arbitrary SQL commands on the notifications connection by manipulating the channel name.","title":"Postgrex SQL Injection Vulnerability in Notifications.listen/3 (CVE-2026-32687)","url":"https://feed.craftedsignal.io/briefs/2026-05-postgrex-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Postgrex","version":"https://jsonfeed.org/version/1.1"}