EXECUTIVE SUMMARY:
CVE-2026-32687 with a CVSS score of 7.5 is a SQL injection vulnerability in the Elixir postgrex library, specifically within the Elixir.Postgrex.Notifications module. The issue arises because the channel value supplied to the listen/3 and unlisten/3 functions is directly embedded into PostgreSQL LISTEN and UNLISTEN statements without proper sanitization or escaping of special characters such as the double quote ("). An attacker who can influence the channel name can inject malicious SQL payloads, potentially executing arbitrary commands (including data manipulation and schema changes) on the database through the notifications connection. This can lead to serious consequences such as unauthorized data access, modification, or destruction, making it a high-risk vulnerability in applications that expose or derive notification channels from user-controlled input.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-32687 with a CVSS score of 7.5 is a SQL injection vulnerability in the Elixir postgrex library, specifically within the Elixir.Postgrex.Notifications module. The issue arises because the channel value supplied to the listen/3 and unlisten/3 functions is directly embedded into PostgreSQL LISTEN and UNLISTEN statements without proper sanitization or escaping of special characters such as the double quote ("). An attacker who can influence the channel name can inject malicious SQL payloads, potentially executing arbitrary commands (including data manipulation and schema changes) on the database through the notifications connection. This can lead to serious consequences such as unauthorized data access, modification, or destruction, making it a high-risk vulnerability in applications that expose or derive notification channels from user-controlled input.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update postgrex to version 0.22.2 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-r73h-97w8-m54h