PostgreSQL
PostgreSQL is an open-source relational database used across application backends, analytics workloads, and managed cloud database services. Unlike many of the other products in the Attestd coverage set, PostgreSQL vulnerabilities typically require an authenticated database connection to exploit. The attack surface is bounded by which users have database access and what privileges they hold.
Querying PostgreSQL
postgresql15.2, 14.8, 16.0curl "https://api.attestd.io/v1/check?product=postgresql&version=15.2" \
-H "Authorization: Bearer $ATTESTD_KEY"PostgreSQL 15.2 is affected by CVE-2023-2454 and CVE-2023-2455, both row security policy bypass vulnerabilities. Because these require an authenticated database user to exploit, authentication_required is true and the response returns risk_state: "elevated" rather than "high".
{
"product": "postgresql",
"version": "15.2",
"supported": true,
"risk_state": "elevated",
"risk_factors": [
"remote_code_execution",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": true,
"patch_available": true,
"fixed_version": "15.3",
"confidence": 0.90,
"cve_ids": ["CVE-2023-2454", "CVE-2023-2455"],
"last_updated": "2026-02-23T18:21:30Z"
}CVE history
PostgreSQL CVEs tend to involve privilege boundary failures: users bypassing row-level security policies, unprivileged users executing code with elevated database privileges via extensions or background workers, or server-side logic trusting schema paths it should not. Remote unauthenticated vulnerabilities are rare; most require a valid database user with at minimum CONNECT privilege.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2023-2454 | Row security policy bypass via extension schemas. A database user with TEMP table creation privilege can create objects in trusted schemas that bypass row security policies enforced on other tables. Affects 11 through 15. | 11.x to 15.2 | 7.2 |
CVE-2023-2455 | Row security policies applied within extension trigger functions can be bypassed. An attacker with EXECUTE privilege on the trigger function can read rows that row security is intended to hide. | 11.x to 15.2 | 4.2 |
CVE-2022-1552 | Autovacuum, REINDEX, CREATE INDEX, and similar database maintenance operations can be triggered by an unprivileged user to execute arbitrary SQL with superuser privileges under certain conditions. | 10.x to 14.2 | 8.8 |
CVE-2019-10130 | SELECT privilege check bypass. A user can read data from table columns they do not have SELECT privilege on by crafting a query that references those columns in a way the privilege check misses. | 10.x to 11.3 | 4.3 |
CVE-2024-10979 | PL/Perl allows environment variable modification that affects the behavior of subsequent PL/Perl calls in the same database session. A user with EXECUTE privilege on a PL/Perl function can alter process environment variables. | 12.x to 17.0 | 8.8 |
Understanding the risk profile
PostgreSQL CVEs commonly return elevated rather than critical because most vulnerabilities require a database connection with at least basic user privileges. The practical risk depends on who has database access in your environment. A vulnerability requiring only CONNECT privilege is far more dangerous in a multi-tenant database than in a single-application deployment.
None of the current PostgreSQL CVEs in the Attestd dataset are on the CISA KEV catalog, so actively_exploited is typically false. This does not mean the vulnerabilities are low priority in a multi-user or internet-accessible database deployment.