Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by elixir-ecto
CVE-2026-58225 (GCVE-0-2026-58225)
Vulnerability from nvd – Published: 2026-07-10 10:51 – Updated: 2026-07-10 12:50
VLAI
EPSS
VEX
Title
SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service
Summary
SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.
Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.
The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.
An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.
This issue affects postgrex: from 0.16.0 before 0.22.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-ecto/ecto/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-58225.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-58225 | related |
| https://github.com/elixir-ecto/postgrex/commit/79… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-ecto | postgrex |
Affected:
0.16.0 , < 0.22.3
(semver)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
|
| elixir-ecto | postgrex |
Affected:
266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 795c6062f62c4394272ff4b89170688857b4f841
(git)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T11:47:10.671088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T11:47:16.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "postgrex",
"packageURL": "pkg:hex/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
}
],
"repo": "https://github.com/elixir-ecto/postgrex",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "0.22.3",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "elixir-ecto/postgrex",
"packageURL": "pkg:github/elixir-ecto/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
}
],
"repo": "https://github.com/elixir-ecto/postgrex",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "795c6062f62c4394272ff4b89170688857b4f841",
"status": "affected",
"version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.22.3",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a \u003ctt\u003eLISTEN\u003c/tt\u003e channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ePostgrex.Notifications\u003c/tt\u003e sanitizes channel names with \u003ctt\u003equote_channel/1\u003c/tt\u003e, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement \u003ctt\u003eLISTEN\u003c/tt\u003e and \u003ctt\u003eUNLISTEN\u003c/tt\u003e paths. On every (re)connect, however, \u003ctt\u003ehandle_connect/1\u003c/tt\u003e replays all registered channels at once by concatenating their \u003ctt\u003eLISTEN\u003c/tt\u003e statements and wrapping them in a dollar-quoted anonymous code block (\u003ctt\u003eDO $$BEGIN ... END$$\u003c/tt\u003e). \u003ctt\u003equote_channel/1\u003c/tt\u003e does not escape the \u003ctt\u003e$$\u003c/tt\u003e dollar-quote delimiter that opens and closes this block.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003elisten/3\u003c/tt\u003e guards only reject null bytes and names longer than 63 bytes, so a channel name containing \u003ctt\u003e$$\u003c/tt\u003e passes validation unchanged. Once such a name is embedded, its \u003ctt\u003e$$\u003c/tt\u003e prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because \u003ctt\u003ehandle_connect/1\u003c/tt\u003e runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\u003c/p\u003e\u003cp\u003eAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.3.\u003c/p\u003e"
}
],
"value": "SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\n\nPostgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.\n\nThe listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\n\nAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.3."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T12:50:40.297Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-58225.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-58225"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-ecto/postgrex/commit/795c6062f62c4394272ff4b89170688857b4f841"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate channel names before passing untrusted input to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. Reject any name that contains the dollar-quote delimiter (\u003ctt\u003e$$\u003c/tt\u003e), or restrict channel names to a safe character set such as alphanumeric characters and underscores.\u003c/p\u003e"
}
],
"value": "Validate channel names before passing untrusted input to Postgrex.Notifications.listen/3. Reject any name that contains the dollar-quote delimiter ($$), or restrict channel names to a safe character set such as alphanumeric characters and underscores."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-58225",
"datePublished": "2026-07-10T10:51:46.978Z",
"dateReserved": "2026-06-29T18:54:08.633Z",
"dateUpdated": "2026-07-10T12:50:40.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32687 (GCVE-0-2026-32687)
Vulnerability from nvd – Published: 2026-05-12 14:18 – Updated: 2026-05-26 19:46
VLAI
EPSS
VEX
Title
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.
The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.
This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1.
This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-ecto/ecto/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32687.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32687 | related |
| https://github.com/elixir-ecto/postgrex/commit/7c… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-ecto | postgrex |
Affected:
0.16.0 , < 0.22.2
(semver)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
|
| elixir-ecto | postgrex |
Affected:
266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 7cdedbd4316bb65f82e6a9a4f922c0ac491cb770
(git)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T19:44:22.093287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:44:35.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "postgrex",
"packageURL": "pkg:hex/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
}
],
"repo": "https://github.com/elixir-ecto/postgrex.git",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "0.22.2",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "elixir-ecto/postgrex",
"packageURL": "pkg:github/elixir-ecto/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
}
],
"repo": "https://github.com/elixir-ecto/postgrex.git",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "7cdedbd4316bb65f82e6a9a4f922c0ac491cb770",
"status": "affected",
"version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must call \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e or \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e with a channel name derived from untrusted user input.\u003c/p\u003e"
}
],
"value": "The application must call \u0027Elixir.Postgrex.Notifications\u0027:listen/3 or \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 with a channel name derived from untrusted user input."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.22.2",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027\u003c/tt\u003e module) allows SQL Injection.\u003cp\u003eThe \u003ctt\u003echannel\u003c/tt\u003e argument passed to \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e and \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e is interpolated directly into \u003ctt\u003eLISTEN \"...\"\u003c/tt\u003e / \u003ctt\u003eUNLISTEN \"...\"\u003c/tt\u003e SQL statements without escaping the \u003ctt\u003e\"\u003c/tt\u003e character. An attacker who can influence the channel name can inject a \u003ctt\u003e\"\u003c/tt\u003e to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. \u003ctt\u003e; DROP TABLE ...; --\u003c/tt\u003e). The same unsanitized interpolation also occurs in \u003ctt\u003ehandle_connect/1\u003c/tt\u003e when replaying LISTEN commands after a reconnect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/postgrex/notifications.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u0027Elixir.Postgrex.Notifications\u0027 module) allows SQL Injection.\n\nThe channel argument passed to \u0027Elixir.Postgrex.Notifications\u0027:listen/3 and \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 is interpolated directly into LISTEN \"...\" / UNLISTEN \"...\" SQL statements without escaping the \" character. An attacker who can influence the channel name can inject a \" to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.\n\nThis vulnerability is associated with program file lib/postgrex/notifications.ex and program routines \u0027Elixir.Postgrex.Notifications\u0027:listen/3, \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3, \u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:52.054Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-r73h-97w8-m54h"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32687.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32687"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-ecto/postgrex/commit/7cdedbd4316bb65f82e6a9a4f922c0ac491cb770"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32687",
"datePublished": "2026-05-12T14:18:07.607Z",
"dateReserved": "2026-03-13T09:12:14.475Z",
"dateUpdated": "2026-05-26T19:46:52.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58225 (GCVE-0-2026-58225)
Vulnerability from cvelistv5 – Published: 2026-07-10 10:51 – Updated: 2026-07-10 12:50
VLAI
EPSS
VEX
Title
SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service
Summary
SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.
Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.
The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.
An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.
This issue affects postgrex: from 0.16.0 before 0.22.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-ecto/ecto/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-58225.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-58225 | related |
| https://github.com/elixir-ecto/postgrex/commit/79… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-ecto | postgrex |
Affected:
0.16.0 , < 0.22.3
(semver)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
|
| elixir-ecto | postgrex |
Affected:
266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 795c6062f62c4394272ff4b89170688857b4f841
(git)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T11:47:10.671088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T11:47:16.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "postgrex",
"packageURL": "pkg:hex/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
}
],
"repo": "https://github.com/elixir-ecto/postgrex",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "0.22.3",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "elixir-ecto/postgrex",
"packageURL": "pkg:github/elixir-ecto/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
}
],
"repo": "https://github.com/elixir-ecto/postgrex",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "795c6062f62c4394272ff4b89170688857b4f841",
"status": "affected",
"version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.22.3",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a \u003ctt\u003eLISTEN\u003c/tt\u003e channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ePostgrex.Notifications\u003c/tt\u003e sanitizes channel names with \u003ctt\u003equote_channel/1\u003c/tt\u003e, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement \u003ctt\u003eLISTEN\u003c/tt\u003e and \u003ctt\u003eUNLISTEN\u003c/tt\u003e paths. On every (re)connect, however, \u003ctt\u003ehandle_connect/1\u003c/tt\u003e replays all registered channels at once by concatenating their \u003ctt\u003eLISTEN\u003c/tt\u003e statements and wrapping them in a dollar-quoted anonymous code block (\u003ctt\u003eDO $$BEGIN ... END$$\u003c/tt\u003e). \u003ctt\u003equote_channel/1\u003c/tt\u003e does not escape the \u003ctt\u003e$$\u003c/tt\u003e dollar-quote delimiter that opens and closes this block.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003elisten/3\u003c/tt\u003e guards only reject null bytes and names longer than 63 bytes, so a channel name containing \u003ctt\u003e$$\u003c/tt\u003e passes validation unchanged. Once such a name is embedded, its \u003ctt\u003e$$\u003c/tt\u003e prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because \u003ctt\u003ehandle_connect/1\u003c/tt\u003e runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\u003c/p\u003e\u003cp\u003eAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.3.\u003c/p\u003e"
}
],
"value": "SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\n\nPostgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.\n\nThe listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\n\nAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.3."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T12:50:40.297Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-58225.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-58225"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-ecto/postgrex/commit/795c6062f62c4394272ff4b89170688857b4f841"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate channel names before passing untrusted input to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. Reject any name that contains the dollar-quote delimiter (\u003ctt\u003e$$\u003c/tt\u003e), or restrict channel names to a safe character set such as alphanumeric characters and underscores.\u003c/p\u003e"
}
],
"value": "Validate channel names before passing untrusted input to Postgrex.Notifications.listen/3. Reject any name that contains the dollar-quote delimiter ($$), or restrict channel names to a safe character set such as alphanumeric characters and underscores."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-58225",
"datePublished": "2026-07-10T10:51:46.978Z",
"dateReserved": "2026-06-29T18:54:08.633Z",
"dateUpdated": "2026-07-10T12:50:40.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32687 (GCVE-0-2026-32687)
Vulnerability from cvelistv5 – Published: 2026-05-12 14:18 – Updated: 2026-05-26 19:46
VLAI
EPSS
VEX
Title
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.
The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.
This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1.
This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-ecto/ecto/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32687.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32687 | related |
| https://github.com/elixir-ecto/postgrex/commit/7c… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-ecto | postgrex |
Affected:
0.16.0 , < 0.22.2
(semver)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
|
| elixir-ecto | postgrex |
Affected:
266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 7cdedbd4316bb65f82e6a9a4f922c0ac491cb770
(git)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T19:44:22.093287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:44:35.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "postgrex",
"packageURL": "pkg:hex/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
}
],
"repo": "https://github.com/elixir-ecto/postgrex.git",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "0.22.2",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "elixir-ecto/postgrex",
"packageURL": "pkg:github/elixir-ecto/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
}
],
"repo": "https://github.com/elixir-ecto/postgrex.git",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "7cdedbd4316bb65f82e6a9a4f922c0ac491cb770",
"status": "affected",
"version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must call \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e or \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e with a channel name derived from untrusted user input.\u003c/p\u003e"
}
],
"value": "The application must call \u0027Elixir.Postgrex.Notifications\u0027:listen/3 or \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 with a channel name derived from untrusted user input."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.22.2",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027\u003c/tt\u003e module) allows SQL Injection.\u003cp\u003eThe \u003ctt\u003echannel\u003c/tt\u003e argument passed to \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e and \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e is interpolated directly into \u003ctt\u003eLISTEN \"...\"\u003c/tt\u003e / \u003ctt\u003eUNLISTEN \"...\"\u003c/tt\u003e SQL statements without escaping the \u003ctt\u003e\"\u003c/tt\u003e character. An attacker who can influence the channel name can inject a \u003ctt\u003e\"\u003c/tt\u003e to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. \u003ctt\u003e; DROP TABLE ...; --\u003c/tt\u003e). The same unsanitized interpolation also occurs in \u003ctt\u003ehandle_connect/1\u003c/tt\u003e when replaying LISTEN commands after a reconnect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/postgrex/notifications.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u0027Elixir.Postgrex.Notifications\u0027 module) allows SQL Injection.\n\nThe channel argument passed to \u0027Elixir.Postgrex.Notifications\u0027:listen/3 and \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 is interpolated directly into LISTEN \"...\" / UNLISTEN \"...\" SQL statements without escaping the \" character. An attacker who can influence the channel name can inject a \" to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.\n\nThis vulnerability is associated with program file lib/postgrex/notifications.ex and program routines \u0027Elixir.Postgrex.Notifications\u0027:listen/3, \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3, \u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:52.054Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-r73h-97w8-m54h"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32687.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32687"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-ecto/postgrex/commit/7cdedbd4316bb65f82e6a9a4f922c0ac491cb770"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32687",
"datePublished": "2026-05-12T14:18:07.607Z",
"dateReserved": "2026-03-13T09:12:14.475Z",
"dateUpdated": "2026-05-26T19:46:52.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}