CVE-2026-41889
SQL Injection Vulnerability in pgx PostgreSQL Driver for Go
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgx | pgx | to 5.9.2 (exc) |
| jackc | pgx | to 5.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the pgx PostgreSQL driver and toolkit for Go, specifically in versions prior to 5.9.2. It involves SQL injection that can occur when using the non-default simple protocol combined with a dollar quoted string literal in the SQL query. If the string literal contains text that would normally be interpreted as a placeholder outside of a string literal, and the attacker can control the value of that placeholder, they can exploit this to perform SQL injection.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform SQL injection attacks, which may lead to unauthorized access to or manipulation of the database. This could result in data leakage, data corruption, or unauthorized actions being performed on the database, depending on the attacker's capabilities and the database's configuration.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the pgx PostgreSQL driver and toolkit to version 5.9.2 or later, where the SQL injection issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL injection through the pgx PostgreSQL driver when using the non-default simple protocol with dollar-quoted string literals containing placeholder-like text. Detection would involve identifying usage of vulnerable pgx versions prior to 5.9.2 and monitoring for suspicious SQL queries that include dollar-quoted strings with embedded placeholders.
Since the vulnerability is specific to the pgx driver and its handling of SQL queries, detection on the network or system could include:
- Checking the version of the pgx library in use to confirm if it is older than 5.9.2.
- Reviewing application logs or database query logs for SQL queries that use dollar-quoted string literals containing placeholder-like patterns such as `$tag$` or `$N`.
- Monitoring for unusual or unexpected SQL commands that could indicate injection attempts, for example queries containing suspicious payloads like `$tag$; drop table canary; --`.
Specific commands to detect the vulnerability are not provided in the available resources. However, general commands to check the pgx version or search logs might include:
- To check the pgx version in a Go project: `go list -m github.com/jackc/pgx` or inspect the `go.mod` file for the pgx version.
- To search database logs for suspicious dollar-quoted strings (example using grep): `grep -E '\$[a-zA-Z0-9]*\$' /path/to/db/logs`
- To monitor network traffic for suspicious SQL queries, use a network capture tool (e.g., tcpdump or Wireshark) with filters for PostgreSQL traffic and analyze queries containing dollar-quoted strings.
For precise detection commands or tools tailored to this vulnerability, no information is available in the provided resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this SQL injection vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.