CVE-2026-41889
Analyzed Analyzed - Analysis Complete
SQL Injection Vulnerability in pgx PostgreSQL Driver for Go

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: GitHub, Inc.

Description
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41889
EUVD
EUVD-2026-28805
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jackc pgx to 5.9.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pgx PostgreSQL driver and toolkit for Go, specifically in versions prior to 5.9.2. It involves SQL injection that can occur when using the non-default simple protocol combined with a dollar quoted string literal in the SQL query. If the string literal contains text that would normally be interpreted as a placeholder outside of a string literal, and the attacker can control the value of that placeholder, they can exploit this to perform SQL injection.

Compliance Impact

The provided information does not specify any direct impact of this SQL injection vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability can allow an attacker to perform SQL injection attacks, which may lead to unauthorized access to or manipulation of the database. This could result in data leakage, data corruption, or unauthorized actions being performed on the database, depending on the attacker's capabilities and the database's configuration.

Mitigation Strategies

To mitigate this vulnerability, upgrade the pgx PostgreSQL driver and toolkit to version 5.9.2 or later, where the SQL injection issue has been patched.

Detection Guidance

This vulnerability involves SQL injection through the pgx PostgreSQL driver when using the non-default simple protocol with dollar-quoted string literals containing placeholder-like text. Detection would involve identifying usage of vulnerable pgx versions prior to 5.9.2 and monitoring for suspicious SQL queries that include dollar-quoted strings with embedded placeholders.

Since the vulnerability is specific to the pgx driver and its handling of SQL queries, detection on the network or system could include:

  • Checking the version of the pgx library in use to confirm if it is older than 5.9.2.
  • Reviewing application logs or database query logs for SQL queries that use dollar-quoted string literals containing placeholder-like patterns such as `$tag$` or `$N`.
  • Monitoring for unusual or unexpected SQL commands that could indicate injection attempts, for example queries containing suspicious payloads like `$tag$; drop table canary; --`.

Specific commands to detect the vulnerability are not provided in the available resources. However, general commands to check the pgx version or search logs might include:

  • To check the pgx version in a Go project: `go list -m github.com/jackc/pgx` or inspect the `go.mod` file for the pgx version.
  • To search database logs for suspicious dollar-quoted strings (example using grep): `grep -E '\$[a-zA-Z0-9]*\$' /path/to/db/logs`
  • To monitor network traffic for suspicious SQL queries, use a network capture tool (e.g., tcpdump or Wireshark) with filters for PostgreSQL traffic and analyze queries containing dollar-quoted strings.

For precise detection commands or tools tailored to this vulnerability, no information is available in the provided resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart