Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by elixir-ecto

    CVE-2026-58225 (GCVE-0-2026-58225)

    Vulnerability from nvd – Published: 2026-07-10 10:51 – Updated: 2026-07-10 12:50
    VLAI
    Title
    SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service
    Summary
    SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection. Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block. The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection. An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service. This issue affects postgrex: from 0.16.0 before 0.22.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-ecto postgrex Affected: 0.16.0 , < 0.22.3 (semver)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-ecto postgrex Affected: 266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 795c6062f62c4394272ff4b89170688857b4f841 (git)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich José Valim Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58225",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T11:47:10.671088Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T11:47:16.925Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "postgrex",
              "packageURL": "pkg:hex/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "0.22.3",
                  "status": "affected",
                  "version": "0.16.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "elixir-ecto/postgrex",
              "packageURL": "pkg:github/elixir-ecto/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "795c6062f62c4394272ff4b89170688857b4f841",
                  "status": "affected",
                  "version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "0.22.3",
                      "versionStartIncluding": "0.16.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a \u003ctt\u003eLISTEN\u003c/tt\u003e channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ePostgrex.Notifications\u003c/tt\u003e sanitizes channel names with \u003ctt\u003equote_channel/1\u003c/tt\u003e, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement \u003ctt\u003eLISTEN\u003c/tt\u003e and \u003ctt\u003eUNLISTEN\u003c/tt\u003e paths. On every (re)connect, however, \u003ctt\u003ehandle_connect/1\u003c/tt\u003e replays all registered channels at once by concatenating their \u003ctt\u003eLISTEN\u003c/tt\u003e statements and wrapping them in a dollar-quoted anonymous code block (\u003ctt\u003eDO $$BEGIN ... END$$\u003c/tt\u003e). \u003ctt\u003equote_channel/1\u003c/tt\u003e does not escape the \u003ctt\u003e$$\u003c/tt\u003e dollar-quote delimiter that opens and closes this block.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003elisten/3\u003c/tt\u003e guards only reject null bytes and names longer than 63 bytes, so a channel name containing \u003ctt\u003e$$\u003c/tt\u003e passes validation unchanged. Once such a name is embedded, its \u003ctt\u003e$$\u003c/tt\u003e prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because \u003ctt\u003ehandle_connect/1\u003c/tt\u003e runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\u003c/p\u003e\u003cp\u003eAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.3.\u003c/p\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\n\nPostgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.\n\nThe listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\n\nAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T12:50:40.297Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-58225.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-58225"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-ecto/postgrex/commit/795c6062f62c4394272ff4b89170688857b4f841"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eValidate channel names before passing untrusted input to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. Reject any name that contains the dollar-quote delimiter (\u003ctt\u003e$$\u003c/tt\u003e), or restrict channel names to a safe character set such as alphanumeric characters and underscores.\u003c/p\u003e"
                }
              ],
              "value": "Validate channel names before passing untrusted input to Postgrex.Notifications.listen/3. Reject any name that contains the dollar-quote delimiter ($$), or restrict channel names to a safe character set such as alphanumeric characters and underscores."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-58225",
        "datePublished": "2026-07-10T10:51:46.978Z",
        "dateReserved": "2026-06-29T18:54:08.633Z",
        "dateUpdated": "2026-07-10T12:50:40.297Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32687 (GCVE-0-2026-32687)

    Vulnerability from nvd – Published: 2026-05-12 14:18 – Updated: 2026-05-26 19:46
    VLAI
    Title
    SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection. The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect. This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1. This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-ecto postgrex Affected: 0.16.0 , < 0.22.2 (semver)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-ecto postgrex Affected: 266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 7cdedbd4316bb65f82e6a9a4f922c0ac491cb770 (git)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32687",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T19:44:22.093287Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T19:44:35.571Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "postgrex",
              "packageURL": "pkg:hex/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex.git",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "0.22.2",
                  "status": "affected",
                  "version": "0.16.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "elixir-ecto/postgrex",
              "packageURL": "pkg:github/elixir-ecto/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex.git",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "7cdedbd4316bb65f82e6a9a4f922c0ac491cb770",
                  "status": "affected",
                  "version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe application must call \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e or \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e with a channel name derived from untrusted user input.\u003c/p\u003e"
                }
              ],
              "value": "The application must call \u0027Elixir.Postgrex.Notifications\u0027:listen/3 or \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 with a channel name derived from untrusted user input."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "0.22.2",
                      "versionStartIncluding": "0.16.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027\u003c/tt\u003e module) allows SQL Injection.\u003cp\u003eThe \u003ctt\u003echannel\u003c/tt\u003e argument passed to \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e and \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e is interpolated directly into \u003ctt\u003eLISTEN \"...\"\u003c/tt\u003e / \u003ctt\u003eUNLISTEN \"...\"\u003c/tt\u003e SQL statements without escaping the \u003ctt\u003e\"\u003c/tt\u003e character. An attacker who can influence the channel name can inject a \u003ctt\u003e\"\u003c/tt\u003e to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. \u003ctt\u003e; DROP TABLE ...; --\u003c/tt\u003e). The same unsanitized interpolation also occurs in \u003ctt\u003ehandle_connect/1\u003c/tt\u003e when replaying LISTEN commands after a reconnect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/postgrex/notifications.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u0027Elixir.Postgrex.Notifications\u0027 module) allows SQL Injection.\n\nThe channel argument passed to \u0027Elixir.Postgrex.Notifications\u0027:listen/3 and \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 is interpolated directly into LISTEN \"...\" / UNLISTEN \"...\" SQL statements without escaping the \" character. An attacker who can influence the channel name can inject a \" to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.\n\nThis vulnerability is associated with program file lib/postgrex/notifications.ex and program routines \u0027Elixir.Postgrex.Notifications\u0027:listen/3, \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3, \u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T19:46:52.054Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-r73h-97w8-m54h"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-32687.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32687"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-ecto/postgrex/commit/7cdedbd4316bb65f82e6a9a4f922c0ac491cb770"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-32687",
        "datePublished": "2026-05-12T14:18:07.607Z",
        "dateReserved": "2026-03-13T09:12:14.475Z",
        "dateUpdated": "2026-05-26T19:46:52.054Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58225 (GCVE-0-2026-58225)

    Vulnerability from cvelistv5 – Published: 2026-07-10 10:51 – Updated: 2026-07-10 12:50
    VLAI
    Title
    SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service
    Summary
    SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection. Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block. The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection. An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service. This issue affects postgrex: from 0.16.0 before 0.22.3.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-ecto postgrex Affected: 0.16.0 , < 0.22.3 (semver)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-ecto postgrex Affected: 266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 795c6062f62c4394272ff4b89170688857b4f841 (git)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich José Valim Jonatan Männchen / EEF
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58225",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T11:47:10.671088Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T11:47:16.925Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "postgrex",
              "packageURL": "pkg:hex/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "0.22.3",
                  "status": "affected",
                  "version": "0.16.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "elixir-ecto/postgrex",
              "packageURL": "pkg:github/elixir-ecto/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "795c6062f62c4394272ff4b89170688857b4f841",
                  "status": "affected",
                  "version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
                  "versionType": "git"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "0.22.3",
                      "versionStartIncluding": "0.16.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "AND"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jos\u00e9 Valim"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Jonatan M\u00e4nnchen / EEF"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a \u003ctt\u003eLISTEN\u003c/tt\u003e channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ePostgrex.Notifications\u003c/tt\u003e sanitizes channel names with \u003ctt\u003equote_channel/1\u003c/tt\u003e, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement \u003ctt\u003eLISTEN\u003c/tt\u003e and \u003ctt\u003eUNLISTEN\u003c/tt\u003e paths. On every (re)connect, however, \u003ctt\u003ehandle_connect/1\u003c/tt\u003e replays all registered channels at once by concatenating their \u003ctt\u003eLISTEN\u003c/tt\u003e statements and wrapping them in a dollar-quoted anonymous code block (\u003ctt\u003eDO $$BEGIN ... END$$\u003c/tt\u003e). \u003ctt\u003equote_channel/1\u003c/tt\u003e does not escape the \u003ctt\u003e$$\u003c/tt\u003e dollar-quote delimiter that opens and closes this block.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003elisten/3\u003c/tt\u003e guards only reject null bytes and names longer than 63 bytes, so a channel name containing \u003ctt\u003e$$\u003c/tt\u003e passes validation unchanged. Once such a name is embedded, its \u003ctt\u003e$$\u003c/tt\u003e prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because \u003ctt\u003ehandle_connect/1\u003c/tt\u003e runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\u003c/p\u003e\u003cp\u003eAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.3.\u003c/p\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\n\nPostgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.\n\nThe listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\n\nAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T12:50:40.297Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-58225.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-58225"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-ecto/postgrex/commit/795c6062f62c4394272ff4b89170688857b4f841"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eValidate channel names before passing untrusted input to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. Reject any name that contains the dollar-quote delimiter (\u003ctt\u003e$$\u003c/tt\u003e), or restrict channel names to a safe character set such as alphanumeric characters and underscores.\u003c/p\u003e"
                }
              ],
              "value": "Validate channel names before passing untrusted input to Postgrex.Notifications.listen/3. Reject any name that contains the dollar-quote delimiter ($$), or restrict channel names to a safe character set such as alphanumeric characters and underscores."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-58225",
        "datePublished": "2026-07-10T10:51:46.978Z",
        "dateReserved": "2026-06-29T18:54:08.633Z",
        "dateUpdated": "2026-07-10T12:50:40.297Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32687 (GCVE-0-2026-32687)

    Vulnerability from cvelistv5 – Published: 2026-05-12 14:18 – Updated: 2026-05-26 19:46
    VLAI
    Title
    SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection. The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect. This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1. This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    EEF
    Impacted products
    Vendor Product Version
    elixir-ecto postgrex Affected: 0.16.0 , < 0.22.2 (semver)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    elixir-ecto postgrex Affected: 266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 7cdedbd4316bb65f82e6a9a4f922c0ac491cb770 (git)
        cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Peter Ullrich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32687",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T19:44:22.093287Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T19:44:35.571Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.hex.pm",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "postgrex",
              "packageURL": "pkg:hex/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex.git",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "0.22.2",
                  "status": "affected",
                  "version": "0.16.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://github.com",
              "cpes": [
                "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
              ],
              "defaultStatus": "unaffected",
              "modules": [
                "\u0027Elixir.Postgrex.Notifications\u0027"
              ],
              "packageName": "elixir-ecto/postgrex",
              "packageURL": "pkg:github/elixir-ecto/postgrex",
              "product": "postgrex",
              "programFiles": [
                "lib/postgrex/notifications.ex"
              ],
              "programRoutines": [
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
                },
                {
                  "name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
                }
              ],
              "repo": "https://github.com/elixir-ecto/postgrex.git",
              "vendor": "elixir-ecto",
              "versions": [
                {
                  "lessThan": "7cdedbd4316bb65f82e6a9a4f922c0ac491cb770",
                  "status": "affected",
                  "version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
                  "versionType": "git"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe application must call \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e or \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e with a channel name derived from untrusted user input.\u003c/p\u003e"
                }
              ],
              "value": "The application must call \u0027Elixir.Postgrex.Notifications\u0027:listen/3 or \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 with a channel name derived from untrusted user input."
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "0.22.2",
                      "versionStartIncluding": "0.16.0",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "AND"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Peter Ullrich"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027\u003c/tt\u003e module) allows SQL Injection.\u003cp\u003eThe \u003ctt\u003echannel\u003c/tt\u003e argument passed to \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e and \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e is interpolated directly into \u003ctt\u003eLISTEN \"...\"\u003c/tt\u003e / \u003ctt\u003eUNLISTEN \"...\"\u003c/tt\u003e SQL statements without escaping the \u003ctt\u003e\"\u003c/tt\u003e character. An attacker who can influence the channel name can inject a \u003ctt\u003e\"\u003c/tt\u003e to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. \u003ctt\u003e; DROP TABLE ...; --\u003c/tt\u003e). The same unsanitized interpolation also occurs in \u003ctt\u003ehandle_connect/1\u003c/tt\u003e when replaying LISTEN commands after a reconnect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/postgrex/notifications.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u0027Elixir.Postgrex.Notifications\u0027 module) allows SQL Injection.\n\nThe channel argument passed to \u0027Elixir.Postgrex.Notifications\u0027:listen/3 and \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 is interpolated directly into LISTEN \"...\" / UNLISTEN \"...\" SQL statements without escaping the \" character. An attacker who can influence the channel name can inject a \" to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.\n\nThis vulnerability is associated with program file lib/postgrex/notifications.ex and program routines \u0027Elixir.Postgrex.Notifications\u0027:listen/3, \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3, \u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-26T19:46:52.054Z",
            "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
            "shortName": "EEF"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "related"
              ],
              "url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-r73h-97w8-m54h"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://cna.erlef.org/cves/CVE-2026-32687.html"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32687"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/elixir-ecto/postgrex/commit/7cdedbd4316bb65f82e6a9a4f922c0ac491cb770"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "assignerShortName": "EEF",
        "cveId": "CVE-2026-32687",
        "datePublished": "2026-05-12T14:18:07.607Z",
        "dateReserved": "2026-03-13T09:12:14.475Z",
        "dateUpdated": "2026-05-26T19:46:52.054Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }