CVE-2026-58225
Received Received - Intake

SQL Injection in Postgrex via Malformed LISTEN Channel

Vulnerability report for CVE-2026-58225, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: EEF

Description

SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection. Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block. The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection. An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service. This issue affects postgrex: from 0.16.0 before 0.22.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
elixir-ecto postgrex From 0.16.0 (inc) to 0.22.3 (exc)
elixir postgrex From 0.16.0 (inc) to 0.22.3 (exc)
postgrex postgrex From 0.16.0 (inc) to 0.22.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58225 is a SQL injection vulnerability in the elixir-ecto postgrex library affecting versions from 0.16.0 before 0.22.3. It occurs when an attacker can influence a LISTEN channel name used in Postgrex.Notifications.listen/3.

The vulnerability arises because the function quote_channel/1 properly escapes double quotes but does not escape PostgreSQL's dollar-quote delimiter ($$). When a channel name contains $$, it prematurely terminates the dollar-quoted anonymous code block used during connection replay queries.

This causes PostgreSQL to parse the remainder of the query as additional top-level statements, corrupting the reconnect replay query. As a result, the notification connection fails to re-establish subscriptions and silently drops notifications for all channels sharing that connection.

While arbitrary SQL execution is not possible due to double-quote escaping, the corrupted query reliably causes a denial of service by breaking the shared notification connection.

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the notification connection used by Postgrex.Notifications. When exploited, the reconnect replay query is corrupted and rejected by PostgreSQL on every (re)connect.

As a result, the notification connection never re-establishes its subscriptions, silently dropping notifications for all channels sharing that connection.

Applications that pass untrusted input, such as tenant or user identifiers, as channel names to Postgrex.Notifications.listen/3 are affected.

The impact is service disruption rather than arbitrary SQL execution, causing loss of notifications and potentially affecting all tenants or users relying on that connection.

Detection Guidance

Detection of this vulnerability involves identifying if your application uses Postgrex versions from 0.16.0 before 0.22.3 and if untrusted input is passed as channel names to Postgrex.Notifications.listen/3.

You can check your Postgrex version by running a command in your project environment, for example:

  • mix deps | grep postgrex

To detect if vulnerable channel names containing the dollar-quote delimiter ($$) are used, you can search your application logs or database notification channel registrations for channel names containing $$.

  • grep '\$\$' your_application_logs.log

Additionally, monitoring for repeated notification connection failures or denial of service symptoms related to Postgrex notifications may indicate exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Postgrex to version 0.22.3 or later, where the vulnerability is fixed by properly escaping dollar signs in channel names.

If upgrading is not immediately possible, you should validate and sanitize channel names before passing them to Postgrex.Notifications.listen/3 to ensure they do not contain the dollar-quote delimiter ($$) or other unsafe characters.

Restricting channel names to a safe character set that excludes the $ character can prevent injection attempts.

Monitoring and alerting on notification connection failures can help detect ongoing exploitation attempts.

Compliance Impact

The vulnerability causes a denial of service by breaking the notification connection, which can silently drop notifications for all channels sharing that connection.

While arbitrary SQL execution is not possible, the denial of service could impact the availability of notification services that might be critical for compliance with standards requiring data availability and integrity, such as GDPR or HIPAA.

However, there is no direct information in the provided context or resources about specific impacts on compliance with GDPR, HIPAA, or other regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart