Lees weergave

PostgreSQL 19 Beta 1 Released!

4 Juni 2026 om 02:00

The PostgreSQL Global Development Group announces that the first beta release of PostgreSQL 19 is now available for download. This release contains PostgreSQL 19 feature previews ahead of general availability, though some details of the release can change during the beta period.

You can find information about all of the PostgreSQL 19 features and changes in the release notes:

https://www.postgresql.org/docs/19/release-19.html

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 19 on your systems to help us eliminate bugs and other issues. While we do not advise you to run beta versions in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

Your testing and feedback help the community ensure that PostgreSQL 19 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:

https://www.postgresql.org/developer/beta/

PostgreSQL 19 Feature Highlights

Below are some of the feature highlights that are planned for PostgreSQL 19. This list is not exhaustive; for the full list of planned features, please see the release notes.

Performance

PostgreSQL 19 builds on the asynchronous I/O subsystem introduced in PostgreSQL 18. In this release, io_method=worker now automatically scales the number of I/O workers based on the new io_min_workers and io_max_workers settings.

This release also introduces the pg_plan_advice extension, which lets users stabilize and control planner decisions, along with pg_stash_advice to apply advice automatically using query identifiers.

This release brings improvements to vacuum and maintenance operations. Autovacuum can now use parallel workers, which can be configured with the new autovacuum_max_parallel_workers setting, and a new autovacuum scoring system helps prioritize tables to vacuum. PostgreSQL 19 further enhances vacuum with a new strategy that can automatically reduce future vacuuming work by marking pages as visible while they're being queried. Additionally, this release adds the new REPACK command and its nonblocking CONCURRENTLY option, which allow tables to be rebuilt with less operational overhead.

PostgreSQL 19 shows up to 2x better performance on inserts when foreign key checks are present. Additionally, this release improves several areas of the query planner and executor, including new anti-join optimizations, broader use of incremental sorts, eager aggregation that speeds up row processing, faster reads from storage during parallel sequential scans, and simplification of IS DISTINCT FROM and IS NOT DISTINCT FROM to plain <> and = operators when the inputs are not nullable. There are also improvements for LISTEN/NOTIFY scalability that impact multi-channel workloads.

Developer Experience

PostgreSQL 19 introduces support for SQL/PGQ, letting users execute property graph queries using SQL standard syntax. This release also expands temporal query capabilities with UPDATE and DELETE support for the FOR PORTION OF clause, complementing the temporal constraint support added in PostgreSQL 18. This release also adds ALTER TABLE ... MERGE PARTITIONS and ALTER TABLE ... SPLIT PARTITIONS to make it easier to reorganize partitioned tables in place. There is now also support for returning rows that conflict during an upsert operation using INSERT ... ON CONFLICT DO SELECT ... RETURNING.

PostgreSQL 19 introduces the new GROUP BY ALL syntax, making it easy to add all non-aggregate and non-window output columns as part of the grouping. This release extends string processing capabilities in jsonpath with the addition of lower(), upper(), initcap(), replace(), split_part(), and the trim() family of functions.

PostgreSQL 19 makes it easier to adopt "read-your-writes" query patterns when working with replicas using the new WAIT FOR LSN command. This lets a session wait until changes up to a specific log position (LSN) have been replayed on the replica before executing a SELECT query.

PostgreSQL 19 also adds new SQL functions to retrieve the DDL statements needed to recreate roles, tablespaces, and databases, simplifying scripting and migration tasks. Additionally, the random() function now works with date and timestamp types, and PL/Python now supports event triggers.

Security Features

PostgreSQL 19 adds server-side support for Server Name Indication (SNI) through a new pg_hosts.conf file, allowing a single PostgreSQL server to present different TLS certificates based on the hostname requested by the client. There is also a new password_expiration_warning_threshold setting (defaulting to 7 days) to warn users in advance of upcoming password expirations.

Further to the ongoing deprecation efforts of md5 authentication, this release issues a warning to the client after a successful md5 authentication. This is controllable via the new md5_password_warnings setting.

Monitoring and Observability

PostgreSQL 19 introduces the pg_stat_lock view, which reports per-lock-type statistics, and pg_stat_recovery which provides detailed visibility into the state of recovery operations. A stats_reset column is now available across many statistics views to show when counters were last cleared. The pg_stat_progress_vacuum and pg_stat_progress_analyze views now include a started_by column that reports the initiator of the operation, and pg_stat_progress_vacuum also has a mode column that reports how vacuum is operating.

This release also allows log_min_messages levels to be specified per process type, giving operators finer control over what each part of the system logs. Additionally, WAL full page write byte counts are now reported in VACUUM and ANALYZE log output, helping identify maintenance operations that generate large amounts of WAL. Additionally, EXPLAIN ANALYZE now supports surfacing asynchronous I/O (AIO) statistics through its IO option, providing better visibility into how queries are using the AIO subsystem.

Logical Replication and Query Federation

In PostgreSQL 19, logical replication now replicates sequence values, simplifying tasks like online upgrades. Additionally, the new CREATE PUBLICATION ... EXCEPT syntax allows you to publish all tables in a database except for a specified set, while CREATE SUBSCRIPTION ... SERVER allows subscriptions to be defined using a foreign server, simplifying credential management.

PostgreSQL 19 makes it possible to enable logical replication without restarting a server. Logical replication can now be enabled on demand even when wal_level is set to replica, and the new read-only effective_wal_level parameter reports the WAL level currently in effect. This reduces the need to commit upfront to a higher WAL level for clusters that may only occasionally need it, and avoids disrupting an active workload.

The PostgreSQL foreign data wrapper, postgres_fdw, used for query federation, includes several performance improvements, including pushing down array operations to the remote server, and retrieving and using statistics from foreign tables to support better local query planning.

Other Highlights

The PostgreSQL 19 beta period includes a temporary "grease mode" to try to find protocol compatibility problems in the wider ecosystem. This wiki page contains information on how the campaign works:

https://wiki.postgresql.org/wiki/Grease

PostgreSQL 19 allows data checksums to be enabled or disabled online, without requiring a cluster restart or reinitialization.

There are several notable changes to be aware of in PostgreSQL 19. Just-in-time compilation (JIT) is now disabled by default, and the default_toast_compression setting now defaults to lz4, providing better default compression and decompression performance. Support for RADIUS authentication is now removed. Additionally, the vacuumdb --analyze-only command by default analyzes partitioned tables.

Additional Features

Many other new features and improvements have been added to PostgreSQL 19. Many of these may also be helpful for your use cases. Please see the release notes for a complete list of new and changed features:

https://www.postgresql.org/docs/19/release-19.html

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 19. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Beta Schedule

This is the first beta release of version 19. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release around September/October 2026. For further information please see the Beta Testing page.

Links

PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released!

PostgreSQL

14 Mei 2026 om 02:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.4, 17.10, 16.14, 15.18, and 14.23. This release fixes 11 security vulnerabilities and over 60 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 14 EOL Notice

PostgreSQL 14 will stop receiving fixes on November 12, 2026. If you are running PostgreSQL 14 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2026-6472: PostgreSQL `CREATE TYPE` does not check `multirange` schema `CREATE` privilege

CVSS v3.1 Base Score: 5.4

Supported, Vulnerable Versions: 14 - 18.

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2026-6473: PostgreSQL server undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

CVE-2026-6474: PostgreSQL `timeofday()` can disclose portions of server memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Xint Code for reporting this problem.

CVE-2026-6475: PostgreSQL `pg_basebackup` and `pg_rewind` can overwrite unrelated files of origin superuser choice

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

CVE-2026-6476: PostgreSQL `pg_createsubscriber` allows SQL injection via subscription name

CVSS v3.1 Base Score: 7.2

Supported, Vulnerable Versions: 17 - 18.

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

CVE-2026-6477: PostgreSQL `libpq` lo_* functions let server superuser overwrite client stack memory

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert timing channel

CVSS v3.1 Base Score: 6.5

Supported, Vulnerable Versions: 14 - 18.

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Joe Conway for reporting this problem.

CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

CVSS v3.1 Base Score: 7.5

Supported, Vulnerable Versions: 14 - 18.

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

CVE-2026-6575: PostgreSQL `pg_restore_attribute_stats` accepts values that cause query planning to read past end of stats array

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 18.

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

The PostgreSQL project thanks Jeroen Gui for reporting this problem.

CVE-2026-6637: PostgreSQL `refint` allows stack buffer overflow and SQL injection

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a refint cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

CVE-2026-6638: PostgreSQL `REFRESH PUBLICATION` allows SQL injection via table name

CVSS v3.1 Base Score: 3.7

Supported, Vulnerable Versions: 16 - 18.

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Fix queries that could return incorrect results when using a nondeterministic collation over a unique index.
Fix loss of deferrability of foreign-key triggers. Previously, a foreign key defined as DEFERRABLE INITIALLY DEFERRED would behave as NOT DEFERRABLE after being set to NOT ENFORCED status and then back to ENFORCED. If you have a foreign key with this problem, after installing this update you can fix it by setting it to NOT ENFORCED and then back to ENFORCED.
Improve the planner's ability to apply partition pruning to more cases.
Fix self-join removal to handle join clauses that are only boolean columns, for example, ON t1.boolcol.
Several fixes around virtual generated columns, including ensuring INSERT ... ON CONFLICT works when EXCLUDED references a virtual generated column.
Report a serialization failure when MERGE encounters a concurrently-updated tuple in "repeatable read" or "serializable" isolation modes.
Fix CREATE TABLE ... LIKE ... INCLUDING STATISTICS for cases where the source table had one or more dropped columns.
Fix WITHOUT OVERLAPS to allow domains.
Disallow making a composite type be a member of itself via a multirange.
Fix sometimes-incorrect results when array_agg(anyarray) executes in parallel.
Prevent bloating during restore of an incremental backup.
Prevent stuck logical replication slot synchronization worker processes from blocking promotion of a standby server.
Make the pg_aios system view pid column show NULL instead of 0 when an entry has no owning process.
Fix cases where pg_stat_replication shows NULL lag even while replication is active.
Correctly display JOIN alias variables that are used in GROUP BY.
If the startup process fails, properly shut down other child processes before exiting the postmaster.
Fix race condition that could cause a standby server following WAL from a primary of an older minor version to get into a crash-and-restart loop.
Prevent indefinite wait in shutdown of a walsender process when logical replication is actively publishing data.
Ensure that free space map changes are persisted during recovery. This could have performance ramifications on a standby server after promotion.
Fix assorted bugs in backup decompression and tar-parsing code used in pg_basebackup and pg_verifybackup.
Ensure pg_dumpall doesn't skip role grants with dangling grantor OIDs, restoring the behavior before PostgreSQL 16. Emits a warning about missing grantor if the source server is PostgreSQL 16 or later.
Fix pg_upgrade to use the correct protocol version when connecting to older source servers.
Fix output in pg_overexplain when using the RANGE_TABLE option.
Fix postgres_fdw crash due to premature cleanup of a failed connection.

This release also updates time zone data files to tzdata release 2026b, in which British Columbia (America/Vancouver) will be on year-round UTC-07 (effectively, permanent DST) beginning in November 2026. This release assumes that their TZ abbreviation will be MST from that time forward (though this could change). There is also a historical correction for Moldova, which has used EU DST transition times since 2022.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply stop PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

Updates to PGCA Non-Profit Sponsorship Levels & Website

PostgreSQL

11 Maart 2026 om 01:00

As of February 2026, the PostgreSQL Community Association (PGCA), the official non-profit organization chartered by the PostgreSQL Core Team in 2011 to protect the Postgres brand assets, has updated its sponsorship levels and sponsorship prospectus.

Updated PGCA sponsorship levels

The PGCA Board would not be able to protect the PostgreSQL trademarks and brand assets without the generous financial support we receive from corporations, small businesses, and individual donors. We are deeply grateful for that support.

After reviewing sponsorship models used by other open source foundations, and in light of the increasing costs required to protect the PostgreSQL brand assets, we have increased the top two sponsorship levels: Benefactor and Patron, effective February 1, 2026. All other sponsorship levels remain unchanged. As always, we welcome and value donations at all levels, in any amount.

Significant update to the PGCA non-profit website

We’ve also made a significant update to the PGCA website, to modernize it and bring it forward to the present. We hope the new site makes it easier to understand the PGCA’s non-profit mission, learn how to use PostgreSQL trademarks appropriately, and donate, whether as a one-time or monthly contribution.

The updated PGCA website is at the same URL as before: www.postgres.ca.

Updated sponsorship levels and the sponsorship prospectus can be found on the Sponsors page at www.postgres.ca/sponsors/.

PostgreSQL 18.3, 17.9, 16.13, 15.17, and 14.22 Released!

PostgreSQL

26 Februari 2026 om 01:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.3, 17.9, 16.13, 15.17, and 14.22. This is an out-of-cycle release that fixes several regressions reported after the last update release.

For the full list of changes, please review the release notes.

Bug Fixes and Improvements

This update fixes several bugs that were reported since the previous release. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Fix issue where a standby would halt and return an error "could not access status of transaction".
Fix error where the substring() function would raise an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column. This was due to a change introduced for the fix to CVE-2026-2006.
Fix for the strict_word_similarity function in pg_trgm that could lead to incorrect output or crashes. This was due to an oversight in the fix for CVE-2026-2007.
Fix function volatility for json_strip_nulls() and jsonb_strip_nulls() to be immutable, like previous releases, allowing for them to be used in indexes. If you previously upgraded to PostgreSQL 18.0 through 18.2, see the additional steps in the "Updating" section.
Fix for NOT NULL tests in LATERAL UNION ALL subquery that could lead to wrong query output.
Avoid NOT NULL constraints from generating name conflicts with user-written constraints.
Fix pg_stat_get_backend_wait_event() and pg_stat_get_backend_wait_event_type() to report values for auxiliary processes, similar to pg_stat_activity.
Fix casting a composite-type variable to a domain type when returning its value from a PL/pgSQL function.
Fix the hstore binary input function to avoid crashes on input with duplicate keys.

Updating

If you previously upgraded to PostgreSQL 18.0, 18.1 or 18.2, you need to execute the following SQL as a PostgreSQL superuser in all of your databases to make the json_strip_nulls() and jsonb_strip_nulls() functions immutable:

UPDATE pg_catalog.pg_proc SET provolatile = 'i' WHERE oid IN ('3261','3262');

You should also execute this command in the template0 and template1 databases so future databases you create in your PostgreSQL cluster have the correct function volatility setting. Please see the documentation on template databases for more information.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

apt.postgresql.org: changelogs, build logs and Ubuntu releases resolute and plucky

PostgreSQL

19 Februari 2026 om 01:00

News from apt.postgresql.org:

Changelogs

apt.postgresql.org now has changelog files in a place where apt can retrieve them automatically, for example

apt changelog postgresql-18

will download the file and display it in a pager. Mind that the files are only present yet for packages updated since last week, the rest will follow over time.

Build logs

Likewise, package build logs are now also stored along with the packages in .build.xz files in the pool directory. (There is no automated download tool for them, though.)

Ubuntu releases resolute and plucky

Work on the upcoming Ubuntu 26.04 "resolute" release has started and packages are available on apt.postgresql.org.

The Ubuntu 25.04 "plucky" release has reached its end of life and has been moved to apt-archive.postgresql.org.

Christoph

Out-of-cycle release scheduled for February 26, 2026

PostgreSQL

16 Februari 2026 om 01:00

The PostgreSQL Global Development Group is planning for an out-of-cycle release on February 26, 2026 due to regressions introduced in the February 12, 2026 update release, which included releases 18.2, 17.8, 16.12, 15.16, and 14.21. This release will provide fixes for all supported versions (18.3, 17.9, 16.13, 15.17, 14.22). While these fixes may not impact all PostgreSQL users, the PostgreSQL Global Development Group wants to address these issues before the next scheduled release on May 14, 2026.

The regressions from this release include:

The substring() function raises an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column.
A standby may halt and return an error "could not access status of transaction".

For the substring() regression, the fix for CVE-2026-2006, which closed a vulnerability in the database server, introduced a regression causing substring() to improperly return an error on multi-byte (non-ASCII) text values if the source of that value was a database column. If you've upgraded to 18.2, 17.8, 16.12, 15.16, or 14.21, and need the fix ahead of the February 26, 2026 release, you should consider manually applying the changes. Release specific information can be found here: https://wiki.postgresql.org/wiki/2026-02_Regression_Fixes.

Ahead of this release, you can find additional information about the regressions and fixes here: https://wiki.postgresql.org/wiki/2026-02_Regression_Fixes.

PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 Released!

PostgreSQL

12 Februari 2026 om 01:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.2, 17.8, 16.12, 15.16, and 14.21. This release fixes 5 security vulnerabilities and over 65 bugs reported over the last several months.

For the full list of changes, please review the release notes.

Security Issues

CVE-2026-2003: PostgreSQL `oidvector` discloses a few bytes of memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Altan Birler for reporting this problem.

CVE-2026-2004: PostgreSQL `intarray` missing validation of type of input to selectivity estimator executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2005: PostgreSQL `pgcrypto` heap buffer overflow executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2007: PostgreSQL `pg_trgm` heap buffer overflow writes pattern onto server memory

CVSS v3.1 Base Score: 8.2

Supported, Vulnerable Versions: 18.

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Bug Fixes and Improvements

This update fixes over 65 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Fix inconsistent case-insensitive text matching in the ltree extension. If you use an index on an ltree column, in some cases you may need perform a reindex. See the "Updating" section for additional instructions.
Executing ALTER TABLE ... ADD CONSTRAINT to add a NOT NULL constraint on a column that already is marked as NOT NULL now requires the constraint name to match the existing constraint name.
Fix trigger behavior when MERGE is executed from a WITH query to include rows affected by the MERGE.
Several query planner fixes.
Fix for text substring search for non-deterministic collations.
Several fixes for NOTIFY error handling and reporting.
Use the correct ordering function in GIN index parallel builds.
Fix incorrect handling of incremental backups with tables larger than 1GB.
Fail recovery if WAL does not exist back to the redo point indicated by the checkpoint record.
Fix for ALTER PUBLICATION to ensure event triggers contain all set options.
Several fixes around replication slot initialization.
Don't advance replication slot after a logical replication parallel worker apply failure to prevent transaction loss on the subscriber.
Fix error reporting for SQL/JSON path type mismatches.
Fix JIT compilation function inlining when using LLVM 17 or later.
Add new server parameter file_extend_method to control use of posix_fallocate().
Fix psql tab completion for the VACUUM command options.
Fix pg_dump to handle concurrent sequence drops gracefully and to fail if the calling user explicitly lacks privileges to read the sequence.
Several fixes for amcheck around btree inspection.
Avoid crash in pg_stat_statements when an IN list contains both constants and non-constant expressions.

This release also updates time zone data files to tzdata release 2025c, which only has a historical data change for pre-1976 timestamps in Baja California.

Updating

If you have indexes on ltree columns and do not use the libc collation provider, after upgrading to the latest version, you must reindex any ltree column. You can use REINDEX INDEX CONCURRENTLY to minimize the impact on your system.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!

PostgreSQL

13 November 2025 om 01:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. This release fixes 2 security vulnerabilities and over 50 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 13 EOL Notice

This is the final release of PostgreSQL 13. PostgreSQL 13 is now end-of-life and will no longer receive security and bug fixes. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2025-12817: PostgreSQL `CREATE STATISTICS` does not check for schema `CREATE` privilege

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 18.

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 18.

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Aleksey Solovev (Positive Technologies) for reporting this problem.

Bug Fixes and Improvements

This update fixes over 50 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

Avoid returning duplicate rows from hash right semi-joins.
Avoid possible out-of-memory failures during parallel GIN index build.
Several fixes for BRIN indexes.
Fixes for crashes related to partitioned tables, including one occurring during a recheck.
Avoid duplicating hash partition constraints during DETACH CONCURRENTLY, which previously caused issues during dump/restore or if a parent table is dropped after the DETACH.
Disallow generated columns in partition keys and in COPY ... FROM ... WHERE clauses.
Fix incorrect reporting of replication lag in pg_stat_replication view.
Avoid failures when synchronized_standby_slots references nonexistent replication slots.
Avoid unwanted WAL receiver shutdown when switching from streaming to archive WAL source.
Avoid unnecessary invalidation of logical replication slots.
Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment statements.
Avoid leaking memory when handling a SQL error within PL/Python.
Fix how libpq handles socket-related errors on Windows within its GSSAPI logic.
Fix dumping of non-inherited NOT NULL constraints on inherited table columns.
Ensure consistent ordering of foreign key constraints in the output of pg_dump.
Several fixes for pgbench error handling and reporting.
Fix memory leak in pg_combinebackup.
Allow nonsuperusers with SELECT privileges on a table to use pg_prewarm to prewarm indexes on that table.

Updating

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

PostgreSQL 18 Released!

PostgreSQL

25 September 2025 om 02:00

The PostgreSQL Global Development Group today announced the release of PostgreSQL 18, the latest version of the world's most advanced open source database. Translations of this press release are available in the PostgreSQL 18 press kit.

PostgreSQL 18 improves performance for workloads of all sizes through a new I/O subsystem that has demonstrated up to 3× performance improvements when reading from storage, and also increases the number of queries that can use indexes. This release makes major-version upgrades less disruptive, accelerating upgrade times and reducing the time required to reach expected performance after an upgrade completes. Developers also benefit from PostgreSQL 18 features, including virtual generated columns that compute values at query time, and the database-friendly uuidv7() function that provides better indexing and read performance for UUIDs. PostgreSQL 18 makes it easier to integrate with single-sign on (SSO) systems with support for OAuth 2.0 authentication.

"The efforts of the global open source community shape every PostgreSQL release and help deliver features that meet users where their data resides," said Jonathan Katz, a member of the PostgreSQL core team. "PostgreSQL 18 builds on the project's long, rich history of delivering a reliable and robust data management experience, while continuing to expand the workloads it can support."

PostgreSQL, an innovative data management system known for its reliability, robustness, and extensibility, benefits from nearly 30 years of open source development from a global developer community and has become the preferred open source relational database for organizations of all sizes.

Introducing asynchronous I/O

PostgreSQL previously relied on operating system readahead mechanisms to accelerate data retrieval. However, because operating systems lack insight into database-specific access patterns, they cannot always anticipate what data will be required, leading to suboptimal performance in many workloads.

PostgreSQL 18 introduces a new asynchronous I/O (AIO) subsystem designed to address this limitation. AIO lets PostgreSQL issue multiple I/O requests concurrently instead of waiting for each to finish in sequence. This expands existing readahead and improves overall throughput. AIO operations supported in PostgreSQL 18 include sequential scans, bitmap heap scans, and vacuum. Benchmarking has demonstrated performance gains of up to 3x in certain scenarios.

The new io_method setting lets you toggle between the AIO methods, including worker and io_uring, or you can choose to maintain the current PostgreSQL behavior with the sync setting. There are now more parameters to consider tuning with AIO, which you can learn more about in the documentation.

Faster upgrades, better post-upgrade performance

A key PostgreSQL feature is the generation and storage of statistics that help PostgreSQL select the most efficient query plan. Before PostgreSQL 18, these statistics didn't carry over on a major version upgrade, which could cause significant query performance degradations on busy systems until the ANALYZE finished running. PostgreSQL 18 introduces the ability to keep planner statistics through a major version upgrade, which helps an upgraded cluster reach expected performance more quickly after the upgrade.

Additionally, pg_upgrade, a utility that performs major version upgrades, includes several enhancements in PostgreSQL 18, such as faster upgrades when a database contains many objects like tables and sequences. This release also lets pg_upgrade process its checks in parallel based on the settings of the --jobs flag, and adds the --swap flag that swaps upgrade directories instead of copying, cloning, or linking files.

Query and general performance enhancements

PostgreSQL 18 further accelerates query performance with features that automatically make your workloads faster. This release introduces "skip scan" lookups on multicolumn B-tree indexes that improve execution time for queries that omit an = condition on one or more prefix index columns. It can also optimize queries that use OR conditions in a WHERE to use an index, leading to significantly faster execution. There are also numerous improvements for how PostgreSQL plans and executes table joins, from boosting the performance of hash joins to allowing merge joins to use incremental sorts. PostgreSQL 18 also supports parallel builds for GIN indexes, joining B-tree and BRIN indexes in supporting this capability.

This release also builds on PostgreSQL support for hardware acceleration, including support for ARM NEON and SVE CPU intrinsics for the popcount function, which is used by the bit_count and other internal capabilities.

Enhancing the developer experience

PostgreSQL 18 introduces virtual generated columns that compute values at query time instead of storing them. This is now the default option for generated columns. Additionally, stored generated columns can now be logically replicated.

This release adds the capability to access both the previous (OLD) and current (NEW) values in the RETURNING clause for INSERT, UPDATE, DELETE and MERGE commands. PostgreSQL 18 also adds UUIDv7 generation through the uuidv7() function, letting you generate random UUIDs that are timestamp-ordered to support better caching strategies. PostgreSQL 18 includes uuidv4() as an alias for gen_random_uuid().

PostgreSQL 18 adds temporal constraints -- constraints over ranges -- for both PRIMARY KEY and UNIQUE constraints using the WITHOUT OVERLAPS clause, and on FOREIGN KEY constraints using the PERIOD clause.

Finally, PostgreSQL 18 makes it easier to create the schema definition of a foreign table using the definition of a local table with the CREATE FOREIGN TABLE ... LIKE command.

Improved text processing

PostgreSQL 18 makes text processing easier and faster with several new enhancements. This release adds the PG_UNICODE_FAST collation, which provides full Unicode semantics for case transformations while helping to accelerate many comparisons. This includes the upper and lower string comparison functions and the new casefold function for case-insensitive comparisons. Additionally, PostgreSQL 18 now supports making LIKE comparisons over text that uses a nondeterministic collation, simplifying how you can perform more complex pattern matching. This release also changes full text search to use the default collation provider of a cluster instead of always using libc, which may require you to reindex all full text search and pg_trgm indexes after running pg_upgrade.

Authentication and security features

PostgreSQL 18 introduces oauth authentication, which lets users authenticate using OAuth 2.0 mechanisms supported through PostgreSQL extensions. Additionally, PostgreSQL 18 includes validation for FIPS mode, and adds the ssl_tls13_ciphers parameter for configuring server-side TLS v1.3 cipher suites.

This release deprecates md5 password authentication, which will be removed in a future release. If you require PostgreSQL password-based authentication, use SCRAM authentication. PostgreSQL 18 also supports SCRAM passthrough authentication with both postgres_fdw and dblink for authenticating to remote PostgreSQL instances. Additionally, pgcrypto now supports SHA-2 encryption for password hashing.

Replication

PostgreSQL 18 supports reporting logical replication write conflicts in logs and in the pg_stat_subscription_stats view. Additionally, CREATE SUBSCRIPTION now defaults to using parallel streaming for applying transactions, which can help improve performance. The pg_createsubscriber utility now has an --all flag so you can create logical replicas for all databases in an instance with a single command. PostgreSQL 18 also lets you automatically drop idle replication slots to help prevent storing too many write-ahead log files on a publisher.

Maintenance and observability

PostgreSQL 18 improves its vacuum strategy by proactively freezing more pages during regular vacuums, reducing overhead and helping in situations that require aggressive vacuums.

PostgreSQL 18 adds more details to EXPLAIN, which provides information about query plan execution, and as of this release now automatically shows how many buffers (the fundamental unit of data storage) are accessed when executing EXPLAIN ANALYZE. Additionally, EXPLAIN ANALYZE now shows how many index lookups occur during an index scan, and EXPLAIN ANALYZE VERBOSE includes CPU, WAL, and average read statistics. PostgreSQL 18 includes more info in pg_stat_all_tables on time spent on vacuum and related operations, as well as per-connection statistics on I/O and WAL utilization.

Other notable changes

Databases initialized with PostgreSQL 18 initdb now have page checksums enabled by default. This can affect upgrades from non-checksum enabled clusters, which would require you to create a new PostgreSQL 18 cluster with the --no-data-checksums option when using pg_upgrade.

PostgreSQL 18 also introduces a new version (3.2) of the PostgreSQL wire protocol, the first new protocol version since PostgreSQL 7.4 (2003). libpq still uses version 3.0 by default while clients (e.g., drivers, poolers, proxies) add support for the new protocol version.

Additional Features

Many other new features and improvements have been added to PostgreSQL 18 that may also be helpful for your use cases. Please see the release notes for a complete list of new and changed features.

About PostgreSQL

PostgreSQL is the world's most advanced open source database, with a global community of thousands of users, contributors, companies and organizations. Since its beginnings at the University of California, Berkeley over 40 years ago, PostgreSQL has continued with an unmatched pace of development. PostgreSQL's mature feature set not only matches top proprietary database systems, but exceeds them in advanced database features, extensibility, security, and stability.

Links

PostgreSQL 18 RC 1 Released!

PostgreSQL

4 September 2025 om 02:00

The PostgreSQL Global Development Group announces that the first release candidate of PostgreSQL 18 is now available for download. As a release candidate, PostgreSQL 18 RC 1 will be mostly identical to the initial release of PostgreSQL 18, though some more fixes may be applied prior to the general availability of PostgreSQL 18.

The planned date for the general availability of PostgreSQL 18 is September 25, 2025. Please see the "Release Schedule" section for more details.

Upgrading to PostgreSQL 18 RC 1

To upgrade to PostgreSQL 18 RC 1 from earlier versions of PostgreSQL, you will need to use a major version upgrade strategy, e.g. pg_upgrade or pg_dump / pg_restore. For more information, please visit the documentation section on upgrading:

https://www.postgresql.org/docs/18/upgrading.html

Changes Since 18 Beta 3

Several bug fixes were applied for PostgreSQL 18 during the Beta 3 period. These include:

Skip vacuuming virtual generated columns when using vacuumdb --missing-stats-only.
Added recommendation on when to reindex full-text search and pg_trgm indexes after using pg_upgrade.

For a detailed list of fixes, please visit the open items page.

Release Schedule

This is the first release candidate for PostgreSQL 18. Unless an issue is discovered that warrants a delay or to produce an additional release candidate, PostgreSQL 18 should be made generally available on September 25, 2025.

For further information please see the Beta Testing page.

Links

PostgreSQL 17.6, 16.10, 15.14, 14.19, 13.22, and 18 Beta 3 Released!

PostgreSQL

14 Augustus 2025 om 02:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.6, 16.10, 15.14, 14.19, and 13.22, as well as the third beta release of PostgreSQL 18. This release fixes 3 security vulnerabilities and over 55 bugs reported over the last several months.

If you previously created a BRIN index using the numeric_minmax_multi_ops operator class, please see the "Updating" section for additional instructions after upgrading your instance.

For the full list of changes, please review the release notes.

PostgreSQL 13 EOL Notice

PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 17.

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most- common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

The PostgreSQL project thanks Dean Rasheed for reporting this problem.

CVE-2025-8714: PostgreSQL `pg_dump` lets superuser of origin server execute arbitrary code in `psql` client

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 13 - 17.

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem.

CVE-2025-8715: PostgreSQL `pg_dump` newline in object name executes arbitrary code in `psql` client and in restore target server

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 13 - 17.

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Fix for BRIN indexes using the numeric_minmax_multi_ops operator class that could cause them to become bloated and inefficient. Please see the "Updating" section for instructions on how to fix these indexes.
Several fixes for logical replication, including fixes for memory allocation failure, duplicate transaction replay, infinite wait, unexpected shutdown, and a standby unable to shutdown.
Fix premature removal of old WAL during a checkpoint, which could impact recovery when using replication slots.
Revert a change that could reject XML documents over 10MB in size.
Fix how nested character classes (e.g. [[:alpha:]%_]) are handled in SIMILAR TO expressions.
Restore the ability for PL/pgSQL expressions to use parallel execution.
Avoid a rare scenario where a B-tree index could modify the wrong entry.
Several fixes for MERGE, including incorrect query results with concurrency and when targeting a table that is a parent in an inheritance hierarchy.
Fix LZ4 decompression failure that could occur on data that is not very compressible.
Prevent an infinite loop in checkpoints on systems with very large shared_buffers settings.
Fix issues with GSSAPI authentication when using Active Directory accounts with many group memberships. This release also fixes timing-dependent connection failures when using SSL or GSSAPI encryption in non-blocking mode.
Fix a crash in libpq function PQcancelCreate().
Fix several resource leaks.

Updating

If you have any BRIN indexes that use the numeric_minmax_multi_ops operator class, it is advisable to REINDEX them after updating to fix any potential bloating and inefficiency.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

A Note on the PostgreSQL 18 Beta

This release marks the third beta release of PostgreSQL 18 and puts the community one step closer to general availability tentatively around September/October 2025.

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 18 on your systems to help us eliminate bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 3 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

Your testing and feedback helps the community ensure that PostgreSQL 18 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:

https://www.postgresql.org/developer/beta/

Upgrading to PostgreSQL 18 Beta 3

To upgrade to PostgreSQL 18 Beta 3 from an earlier version of PostgreSQL, you will need to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more information, please visit the documentation section on upgrading.

Changes Since Beta 2

Fixes and changes in PostgreSQL 18 Beta 3 include:

Fix for performance regression in trivial queries.
Fix can't get cancellation key error observed with some additional software.
Fix for background workers failing to restart after crashes.
Fix a rare asynchronous I/O failure.
Stop dumping excess objects in pg_dumpall --statistics-only and --no-schema.
Remove pg_dumpall non-text output file formats.
Fix date_trunc(..., 'infinity'::timestamptz) on 32-bit systems.

Please see the release notes for a complete list of new and changed features:

https://www.postgresql.org/docs/18/release-18.html

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 18. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Beta Schedule

This is the third beta release of version 18. The PostgreSQL Project will release one or more release candidates, before the final release around September/October 2025. For further information please see the Beta Testing page.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

PostgreSQL 18 Beta 2 Released!

PostgreSQL

17 Juli 2025 om 02:00

The PostgreSQL Global Development Group announces that the second beta release of PostgreSQL 18 is now available for download. This release contains previews of all features when PostgreSQL 18 is made generally available, though some details of the release can change during the beta period.

You can find information about all of the PostgreSQL 18 features and changes in the release notes:

https://www.postgresql.org/docs/18/release-18.html

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 18 on your systems to help us eliminate bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 2 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

https://www.postgresql.org/developer/beta/

Upgrading to PostgreSQL 18 Beta 2

To upgrade to PostgreSQL 18 Beta 2 from an earlier version of PostgreSQL, you will need to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more information, please visit the documentation section on upgrading.

Changes Since Beta 1

Fixes and changes in PostgreSQL 18 Beta 2 include:

Add support for prepared statements in squashing lists in query jumbling.
Fix for foreign key validation on partitioned tables.
Remove pg_get_process_memory_contexts() function.
Several fixes for injection point testing to support testing AIO.
Fix pg_dump for tables with complex names.
Fix for statement location calculation for nested statements.
Fix for upgrades from PostgreSQL 14 when the number of rows in a table is unknown.
Fix stack overflow for OAuth parsers.
Set pg_dump and pg_dumpall default behavior to use --no-statistics. Leave the default for pg_restore and pg_upgrade to be --with-statistics.
Ensure LOAD $libdir/ works.
Improvements for GIN amcheck.
Remove PQservice() from libpq.

Please see the release notes for a complete list of new and changed features:

https://www.postgresql.org/docs/18/release-18.html

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 18. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Beta Schedule

This is the second beta release of version 18. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release around September/October 2025. For further information please see the Beta Testing page.

Links

PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 Released!

PostgreSQL

8 Mei 2025 om 02:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.5, 16.9, 15.13, 14.18, and 13.21. This release fixes 1 security vulnerability and over 60 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 13 EOL Notice

Security Issues

CVE-2025-4207: PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 17.

A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Handle self-referential foreign keys on partitioned tables correctly. Creating or attaching partitions failed to make the required catalog entries for a foreign-key constraint if the table referenced by the constraint was the same partitioned table. This resulted in failure to enforce the constraint fully. To fix this, please see the instructions in the "Updating" section.
Fix for potential data loss issue when using BRIN bloom indexes (e.g. using the date_bloom_ops operator class).
Fix MERGE into a partitioned table with DO NOTHING actions.
Prevent failure in INSERT commands when the table has a GENERATED column of a domain type and the domain's constraints disallow NULL values.
Fix ALTER TABLE .. ADD COLUMN to correctly handle the case of a domain type that has its own default value and the DEFAULT for the column is not set.
Fix issues when performing casts within the keys of JSON constructor expressions.
Fix XMLSERIALIZE() so that the INDENT option is correctly dumped out when it's present in views or rules. This was noticeable on restores.
Several query planner fixes, including avoiding a premature evaluation of arguments in an aggregate function that has both FILTER and either ORDER BY or DISTINCT clauses that could lead to unnecessary failures.
Fix for potentially returning incorrect results when a bitmap scan without output columns is executed while vacuum is also running on the same table.
Fix performance issues in GIN index search startup when there are many search keys, for example, jsonbcol ?| array[...] with tens of thousands of array elements.
Ensure that I/O statistics of active WAL senders are reported within at most one second.
Fix race condition in handling of synchronous_standby_names immediately after startup, where a backend might fail to wait for a synchronous commit.
Avoid infinite loop if scram_iterations is set to INT_MAX.
Several fixes for logical replication, including handling of vacuum around deleted rows that are still required for logical decoding.
Prevent potential data loss when schema modification operations (DDL) that don't take a strong lock affect tables that are being logically replicated.
Prevent issues in logical replication that could allow duplicate data to be applied due to apply worker error handling.
Improve how reindexdb handles scheduling parallel reindex operations to achieve the expected amount of parallelism.

This release also updates time zone data files to tzdata release 2025b for DST law changes in Chile, plus historical corrections for Iran. Additionally, there is a new time zone America/Coyhaique for Chile's Aysén Region, to account for it changing to UTC-03 year-round, which diverges from America/Santiago.

Updating

If you created a self-referential foreign key on a partitioned table, after updating, you should drop and recreate any of these self-referential foreign keys if partitions have been created or attached since the constraint was created. There may be rows in the partition that violate this constraint, in which case recreating the constraint will fail, and you'll need to correct those rows before trying again.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

PostgreSQL 18 Beta 1 Released!

PostgreSQL

8 Mei 2025 om 02:00

The PostgreSQL Global Development Group announces that the first beta release of PostgreSQL 18 is now available for download. This release contains previews of all features when PostgreSQL 18 is made generally available, though some details of the release can change during the beta period.

You can find information about all of the PostgreSQL 18 features and changes in the release notes:

https://www.postgresql.org/docs/18/release-18.html

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 18 on your systems to help us eliminate bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 1 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

https://www.postgresql.org/developer/beta/

PostgreSQL 18 Feature Highlights

Below are some of the feature highlights that are planned for PostgreSQL 18. This list is not exhaustive; for the full list of planned features, please see the release notes.

Performance

PostgreSQL 18 introduces an asynchronous I/O (AIO) subsystem. This new subsystem allows to increase I/O throughput and to hide I/O latency. On Linux io_uring can be used for AIO, a worker based implementation is available on all platforms. This initial release supporting file system reads such as sequential scans, bitmap heap scans, and vacuums, with tests showing up to a 2-3x performance improvements.

These performance gains extend to query optimizations and new indexing features. PostgreSQL 18 adds support for using "skip scan" lookups on multicolumn B-tree indexes, which can result in faster execution times for queries that omit a "=" condition on one or more prefix index columns. This release also includes optimizations for WHERE clauses that contain OR and IN (...) statements to better utilize recent indexing improvements which can also result in better query performance. There are also numerous performance improvements for how PostgreSQL plans and executes table joins, from improving the overall performance of hash joins to allowing merge joins to use incremental sorts.

There are a variety of other PostgreSQL 18 features that improve performance for other query and maintenance operations. PostgreSQL 18 now supports parallel builds for GIN indexes, which are commonly used for search over JSON and full-text data. This release also allows you to define partition keys and materialized views with unique indexes which aren't B-trees. PostgreSQL 18 also improves overall locking performance for queries that access many relations, and adds several improvements to queries over partitioned tables, including improved pruning and join support. PostgreSQL 18 also has performance improvements in text processing, including general speedups to the upper/lower functions and a new built-in collation PG_UNICODE_FAST.

Major version upgrade experience

Before PostgreSQL 18, an important step after performing a major version upgrade was to run the ANALYZE to generate statistics, which is a critical component of helping PostgreSQL to select the most efficient query plan. Based on the size and overall activity of a PostgreSQL cluster, this could be a time consuming process, and potentially impact query performance until the process completed. PostgreSQL 18 introduces the ability to keep planner statistics through a major version upgrade, which helps an upgraded cluster to get to its expected performance state sooner once it's available.

Additionally, pg_upgrade, the utility used to facilitate a major version upgrade, added several performance enhancements to help accelerate upgrades with many objects, such as tables and sequences. This release also allows pg_upgrade to process its checks in parallel based on the settings of the --jobs flag, and also adds the --swap flag, which swaps upgrade directories instead of copying, cloning, or linking files.

Developer Experience

PostgreSQL 18 introduces virtual generated columns that compute the column values just-in-time during query execution, instead of having to store them. This is now the default option for generated columns. Additionally, stored generated columns can now be logically replicated.

This release adds the capability to access both the previous (OLD) and current (NEW) values in the RETURNING clause for INSERT, UPDATE, DELETE and MERGE commands. Additionally, PostgreSQL 18 adds support for UUIDv7 generation through the uuidv7() function, letting you generate random UUIDs that are timestamp-ordered to support better caching strategies (this release also adds uuidv4() as an alias for gen_rand_uuid).

Now in PostgreSQL 18, you can make LIKE comparisons over text that uses a nondeterministic collation, making it simpler to do more complex pattern matching. Additionally, this release introduces the CASEFOLD to help with case-insensitive matches.

This release also adds temporal constraints, or constraints over ranges, for both PRIMARY KEY and UNIQUE constraints using the WITHOUT OVERLAPS clause, and on FOREIGN KEY constraints using the PERIOD clause.

Security Features

PostgreSQL 18 introduces oauth authentication, which lets users authenticate using OAuth 2.0 mechanisms supported through PostgreSQL extensions. Additionally, PostgreSQL 18 adds several features to validate and enforce FIPS mode behavior, and also adds the ssl_tls13_ciphers to let users configure which TLS v1.3 cipher suites the server can use.

This release deprecates md5 password authentication in favor of using SCRAM authentication that was first added in PostgreSQL 10. md5 authentication will be fully removed in a future major version release. Additionally, PostgreSQL 18 adds support for SCRAM passthrough authentication with both postgres_fdw and dblink when authenticating to remote PostgreSQL instances.

Monitoring and Observability

PostgreSQL 18 adds more details to the EXPLAIN utility, which provides information about query plan execution, and as of this release now automatically shows how many buffers (the fundamental unit of data storage) are accessed when executing EXPLAIN ANALYZE. Additionally, EXPLAIN ANALYZE now shows how many index lookups occur during an index scan, and EXPLAIN ANALYZE VERBOSE includes CPU, WAL, and average read statistics. This release also includes information about the total amount of time spent vacuuming and analyzing a table in pg_stat_all_tables, and now shows per-connection statistics on I/O and WAL utilization.

PostgreSQL 18 also provides more insights into write conflicts that occur during logical replication, and surfaces this information both in logs and in the pg_stat_subscription_stats view.

Other Highlights

Starting with PostgreSQL 18, data checksums, which are used to validate the integrity of stored data, are now enabled by default on new PostgreSQL clusters. You can choose to disable this behavior using the initdb --no-data-checksums command. Note that this may require changes to your upgrade scripts.

Additionally, there are new behaviors available in several constraint features. First, both foreign key and check constraints can be set as NOT ENFORCED and conversely, made enforceable. Additionally, NOT NULL constraints now preserve their names as required by the SQL standard, support the NOT VALID and NO INHERIT clauses, and now behave more consistently with inheritance.

pg_createsubscriber now supports an --all flag so you can create logical replicas for all databases in an instance with a single command. Additionally, PostgreSQL 18 lets you create the schema definition of a foreign table using the definition of a local table using the CREATE FOREIGN TABLE ... LIKE command.

PostgreSQL 18 also introduces a new version (3.2) of the PostgreSQL wire protocol, which is the first new protocol version since PostgreSQL 7.4 (2003). libpq still uses version 3.0 by default while clients (e.g., drivers, poolers, proxies) add support for the new protocol version.

Additional Features

Many other new features and improvements have been added to PostgreSQL 18. Many of these may also be helpful for your use cases. Please see the release notes for a complete list of new and changed features:

https://www.postgresql.org/docs/18/release-18.html

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 18. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Beta Schedule

This is the first beta release of version 18. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release around September/October 2025. For further information please see the Beta Testing page.

Links

PostgreSQL 17.4, 16.8, 15.12, 14.17, and 13.20 Released!

PostgreSQL

20 Februari 2025 om 01:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.4, 16.8, 15.12, 14.17, and 13.20.

For the full list of changes, please review the release notes.

Bug Fixes and Improvements

The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Improve behavior of quoting functions in libpq. The fix for CVE-2025-1094 caused the quoting functions to not honor their string length parameters and, in some cases, cause crashes. This problem could be noticeable from a PostgreSQL client library, based on how it is integrated with libpq.
Fix small memory leak in pg_createsubscriber.

Updating

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

Out-of-cycle release scheduled for February 20, 2025

PostgreSQL

14 Februari 2025 om 01:00

The PostgreSQL Global Development Group is planning for an out-of-cycle release on February 20, 2025 to address a regression that was released as part of the February 13, 2025 update release, which included release 17.3, 16.7, 15.11, 14.16, and 13.19. As part of this release, we will issue fixes for all supported versions (17.4, 16.8, 15.12, 14.17, 13.20). While these fixes may not impact all PostgreSQL users, PostgreSQL Global Development Group determined that it would be better to address these sooner than the next scheduled release on May 8, 2025.

The fix for CVE-2025-1094, which closed a vulnerability in the libpq PostgreSQL client library, introduced a regression related to string handling for non-null terminated strings. The error would be visible based on how a PostgreSQL client implemented this behavior, and may not impact all PostgreSQL drivers. As a precaution, the PostgreSQL Global Development Group opted for a follow up release.

If you are impacted by this issue, we advise to consider waiting for the availability of 17.4, 16.8, 15.12, 14.17, and 13.20 before upgrading.

PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 Released!

PostgreSQL

13 Februari 2025 om 01:00

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19. This release fixes 1 security vulnerability and over 70 bugs reported over the last several months.

For the full list of changes, please review the release notes.

Security Issues

CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

CVSS v3.1 Base Score: 8.1

Supported, Vulnerable Versions: 13 - 17.

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.

The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher, Rapid7 for reporting this problem.

Bug Fixes and Improvements

This update fixes over 70 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Restore pre-v17 truncation behavior for >63-byte database names and usernames in connection requests.
Don't perform connection privilege checks and limits on parallel workers, and instead inherit these from the leader process.
Remove Lock suffix from LWLock wait event names.
Fix possible re-use of stale results in window aggregates, which could lead to incorrect results.
Several race condition fixes for vacuum that in the worst case could cause corruption to a system catalog.
Several fixes for truncating tables and indexes that prevent potential corruption.
Fix for detaching a partition where its own foreign-key constraint references a partitioned table.
Fix for the FFn (e.g., FF1) format codes for to_timestamp, where an integer format code before the FFn would consume all available digits.
Fixes for SQL/JSON and XMLTABLE() to double-quote specific entries when necessary.
Include the ldapscheme option in pg_hba_file_rules().
Several fixes for UNION, including not merging columns with non-compatible collations.
Several fixes that could impact availability or speed of starting a connection to PostgreSQL.
Fix multiple memory leaks in logical decoding output.
Fix several memory leaks in PL/Python.
Add psql tab completion for COPY (MERGE INTO).
Make pg_controldata more resilient when displaying info from corruptedpg_control files.
Fix for a memory leak in pg_restore with zstd-compressed data.
Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows.
Modify earthdistance to use SQL-standard function bodies, which fixes possible issues with major version upgrades to v17 when databases use this extension.
Fix crash in pageinspect in instances where the brin_page_items() function definition is not updated to the latest version.
Fix race condition when trying to cancel a postgres_fdw remote query.

This release also updates time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines.

Updating

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

If you have corrections or suggestions for this release announcement, please send them to the pgsql-www@lists.postgresql.org public mailing list.

Lees weergave

PostgreSQL 19 Feature Highlights

Performance

Developer Experience

Security Features

Monitoring and Observability

Logical Replication and Query Federation

Other Highlights

Additional Features

Testing for Bugs & Compatibility

Beta Schedule

Links

PostgreSQL 14 EOL Notice

Security Issues

CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

CVE-2026-6473: PostgreSQL server undersizes allocations, via integer wraparound

CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server memory

CVE-2026-6475: PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

CVE-2026-6476: PostgreSQL pg_createsubscriber allows SQL injection via subscription name

CVE-2026-6477: PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert timing channel

CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

CVE-2026-6575: PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL injection

CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

Bug Fixes and Improvements

Updating

Links

Updated PGCA sponsorship levels

Significant update to the PGCA non-profit website

Bug Fixes and Improvements

Updating

Links

Changelogs

Build logs

Ubuntu releases resolute and plucky

Security Issues

CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory

CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code

CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code

CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code

CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory

Bug Fixes and Improvements

Updating

Links

PostgreSQL 13 EOL Notice

Security Issues

CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege

CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound

Bug Fixes and Improvements

Updating

Links

Introducing asynchronous I/O

Faster upgrades, better post-upgrade performance

Query and general performance enhancements

Enhancing the developer experience

Improved text processing

Authentication and security features

Replication

Maintenance and observability

Other notable changes

Additional Features

About PostgreSQL

Links

Upgrading to PostgreSQL 18 RC 1

Changes Since 18 Beta 3

Release Schedule

Links

PostgreSQL 13 EOL Notice

Security Issues

CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table

CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

CVE-2025-8715: PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server

Bug Fixes and Improvements

Updating

A Note on the PostgreSQL 18 Beta

Upgrading to PostgreSQL 18 Beta 3

Changes Since Beta 2

Testing for Bugs & Compatibility

Beta Schedule

CVE-2026-6472: PostgreSQL `CREATE TYPE` does not check `multirange` schema `CREATE` privilege

CVE-2026-6474: PostgreSQL `timeofday()` can disclose portions of server memory

CVE-2026-6475: PostgreSQL `pg_basebackup` and `pg_rewind` can overwrite unrelated files of origin superuser choice

CVE-2026-6476: PostgreSQL `pg_createsubscriber` allows SQL injection via subscription name

CVE-2026-6477: PostgreSQL `libpq` lo_* functions let server superuser overwrite client stack memory

CVE-2026-6575: PostgreSQL `pg_restore_attribute_stats` accepts values that cause query planning to read past end of stats array

CVE-2026-6637: PostgreSQL `refint` allows stack buffer overflow and SQL injection

CVE-2026-6638: PostgreSQL `REFRESH PUBLICATION` allows SQL injection via table name

CVE-2026-2003: PostgreSQL `oidvector` discloses a few bytes of memory

CVE-2026-2004: PostgreSQL `intarray` missing validation of type of input to selectivity estimator executes arbitrary code

CVE-2026-2005: PostgreSQL `pgcrypto` heap buffer overflow executes arbitrary code

CVE-2026-2007: PostgreSQL `pg_trgm` heap buffer overflow writes pattern onto server memory

CVE-2025-12817: PostgreSQL `CREATE STATISTICS` does not check for schema `CREATE` privilege

CVE-2025-8714: PostgreSQL `pg_dump` lets superuser of origin server execute arbitrary code in `psql` client

CVE-2025-8715: PostgreSQL `pg_dump` newline in object name executes arbitrary code in `psql` client and in restore target server