Postgresql Updates & Release Notes

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.4, 17.10, 16.14, 15.18, and 14.23.

This release fixes 11 security vulnerabilities and over 60 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 14 will stop receiving fixes on November 12, 2026. If you are running PostgreSQL 14 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2026-6472: PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege

CVSS v3.1 Base Score: 5.4

Supported, Vulnerable Versions: 14 - 18.

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2026-6473: PostgreSQL server undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Integer wraparound in multiple PostgreSQL server features allows an application input provider to cause the server to undersize an allocation and write out-of-bounds. This results in a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Anemone, A1ex, Xint Code, Jihe Wang, Jingzhou Fu, Pavel Kohout, Petr Simecek, www.aisle.com, Bruce Dang of Calif.io, and Sven Klemm for reporting this problem.

CVE-2026-6474: PostgreSQL timeofday() can disclose portions of server memory

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 14 - 18.

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Xint Code for reporting this problem.

CVE-2026-6475: PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Valery Gubanov, XlabAI Team of Tencent Xuanwu Lab, Atuin Automated Vulnerability Discovery Engine, Zhanpeng Liu (pkugenuine(at)gmail(dot)com), Guannan Wang (wgnbuaa(at)gmail(dot)com), and Guancheng Li (lgcpku(at)gmail(dot)com) for reporting this problem.

CVE-2026-6476: PostgreSQL pg_createsubscriber allows SQL injection via subscription name

CVSS v3.1 Base Score: 7.2

Supported, Vulnerable Versions: 17 - 18.

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

The PostgreSQL project thanks Yu Kunpeng for reporting this problem.

CVE-2026-6477: PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Yu Kunpeng and Martin Heistermann for reporting this problem.

CVE-2026-6478: PostgreSQL discloses MD5-hashed passwords via covert timing channel

CVSS v3.1 Base Score: 6.5

Supported, Vulnerable Versions: 14 - 18.

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Joe Conway for reporting this problem.

CVE-2026-6479: PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

CVSS v3.1 Base Score: 7.5

Supported, Vulnerable Versions: 14 - 18.

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Calif.io in collaboration with Claude and Anthropic Research for reporting this problem.

CVE-2026-6575: PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array

CVSS v3.1 Base Score: 4.3

Supported, Vulnerable Versions: 18.

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

The PostgreSQL project thanks Jeroen Gui for reporting this problem.

CVE-2026-6637: PostgreSQL refint allows stack buffer overflow and SQL injection

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 14 - 18.

Stack buffer overflow in PostgreSQL module refint allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a refint cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

The PostgreSQL project thanks Nikolay Samokhvalov for reporting this problem.

CVE-2026-6638: PostgreSQL REFRESH PUBLICATION allows SQL injection via table name

CVSS v3.1 Base Score: 3.7

Supported, Vulnerable Versions: 16 - 18.

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

The PostgreSQL project thanks Pavel Kohout, Aisle Research for reporting this problem.

Bug Fixes and Improvements

This update fixes over 60 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix queries that could return incorrect results when using a nondeterministic collation over a unique index.
• Fix loss of deferrability of foreign-key triggers. Previously, a foreign key defined as DEFERRABLE INITIALLY DEFERRED would behave as NOT DEFERRABLE after being set to NOT ENFORCED status and then back to ENFORCED. If you have a foreign key with this problem, after installing this update you can fix it by setting it to NOT ENFORCED and then back to ENFORCED.
• Improve the planner's ability to apply partition pruning to more cases.
• Fix self-join removal to handle join clauses that are only boolean columns, for example, ON t1.boolcol.
• Several fixes around virtual generated columns, including ensuring INSERT ... ON CONFLICT works when EXCLUDED references a virtual generated column.
• Report a serialization failure when MERGE encounters a concurrently-updated tuple in "repeatable read" or "serializable" isolation modes.
• Fix CREATE TABLE ... LIKE ... INCLUDING STATISTICS for cases where the source table had one or more dropped columns.
• Fix WITHOUT OVERLAPS to allow domains.
• Disallow making a composite type be a member of itself via a multirange.
• Fix sometimes-incorrect results when array_agg(anyarray) executes in parallel.
• Prevent bloating during restore of an incremental backup.
• Prevent stuck logical replication slot synchronization worker processes from blocking promotion of a standby server.
• Make the pg_aios system view pid column show NULL instead of 0 when an entry has no owning process.
• Fix cases where pg_stat_replication shows NULL lag even while replication is active.
• Correctly display JOIN alias variables that are used in GROUP BY.
• If the startup process fails, properly shut down other child processes before exiting the postmaster.
• Fix race condition that could cause a standby server following WAL from a primary of an older minor version to get into a crash-and-restart loop.
• Prevent indefinite wait in shutdown of a walsender process when logical replication is actively publishing data.
• Ensure that free space map changes are persisted during recovery. This could have performance ramifications on a standby server after promotion.
• Fix assorted bugs in backup decompression and tar-parsing code used in pg_basebackup and pg_verifybackup.
• Ensure pg_dumpall doesn't skip role grants with dangling grantor OIDs, restoring the behavior before PostgreSQL 16. Emits a warning about missing grantor if the source server is PostgreSQL 16 or later.
• Fix pg_upgrade to use the correct protocol version when connecting to older source servers.
• Fix output in pg_overexplain when using the RANGE_TABLE option.
• Fix postgres_fdw crash due to premature cleanup of a failed connection.

This release also updates time zone data files to tzdata release 2026b, in which British Columbia (America/Vancouver) will be on year-round UTC-07 (effectively, permanent DST) beginning in November 2026. This release assumes that their TZ abbreviation will be MST from that time forward (though this could change). There is also a historical correction for Moldova, which has used EU DST transition times since 2022.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply stop PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.

Original source

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.3, 17.9, 16.13, 15.17, and 14.22. This is an out-of-cycle release that fixes several regressions reported after the last update release.

For the full list of changes, please review the release notes.

Bug Fixes and Improvements

This update fixes several bugs that were reported since the previous release. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix issue where a standby would halt and return an error "could not access status of transaction".
• Fix error where the substring() function would raise an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column. This was due to a change introduced for the fix to CVE-2026-2006.
• Fix for the strict_word_similarity function in pg_trgm that could lead to incorrect output or crashes. This was due to an oversight in the fix for CVE-2026-2007.
• Fix function volatility for json_strip_nulls() and jsonb_strip_nulls() to be immutable, like previous releases, allowing for them to be used in indexes. If you previously upgraded to PostgreSQL 18.0 through 18.2, see the additional steps in the "Updating" section.
• Fix for NOT NULL tests in LATERAL UNION ALL subquery that could lead to wrong query output.
• Avoid NOT NULL constraints from generating name conflicts with user-written constraints.
• Fix pg_stat_get_backend_wait_event() and pg_stat_get_backend_wait_event_type() to report values for auxiliary processes, similar to pg_stat_activity.
• Fix casting a composite-type variable to a domain type when returning its value from a PL/pgSQL function.
• Fix the hstore binary input function to avoid crashes on input with duplicate keys.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If you previously upgraded to PostgreSQL 18.0, 18.1 or 18.2, you need to execute the following SQL as a PostgreSQL superuser in all of your databases to make the json_strip_nulls() and jsonb_strip_nulls() functions immutable:

UPDATE pg_catalog.pg_proc SET provolatile = 'i' WHERE oid IN ('3261','3262');

You should also execute this command in the template0 and template1 databases so future databases you create in your PostgreSQL cluster have the correct function volatility setting. Please see the documentation on template databases for more information.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.

Original source

News from apt.postgresql.org

Changelogs

apt.postgresql.org now has changelog files in a place where apt can retrieve them automatically, for example

apt changelog postgresql-18

will download the file and display it in a pager. Mind that the files are only present yet for packages updated since last week, the rest will follow over time.

Build logs

Likewise, package build logs are now also stored along with the packages in .build.xz files in the pool directory. (There is no automated download tool for them, though.)

Ubuntu releases resolute and plucky

Work on the upcoming Ubuntu 26.04 "resolute" release has started and packages are available on apt.postgresql.org.

The Ubuntu 25.04 "plucky" release has reached its end of life and has been moved to apt-archive.postgresql.org.

Christoph

Original source

The PostgreSQL Global Development Group is planning for an out-of-cycle release on February 26, 2026 due to regressions introduced in the February 12, 2026 update release, which included releases 18.2, 17.8, 16.12, 15.16, and 14.21. This release will provide fixes for all supported versions (18.3, 17.9, 16.13, 15.17, 14.22). While these fixes may not impact all PostgreSQL users, the PostgreSQL Global Development Group wants to address these issues before the next scheduled release on May 14, 2026.

The regressions from this release include:

• The substring() function raises an error "invalid byte sequence for encoding" on non-ASCII text values if the source of that value is a database column.
• A standby may halt and return an error "could not access status of transaction".

For the substring() regression, the fix for CVE-2026-2006, which closed a vulnerability in the database server, introduced a regression causing substring() to improperly return an error on multi-byte (non-ASCII) text values if the source of that value was a database column. If you've upgraded to 18.2, 17.8, 16.12, 15.16, or 14.21, and need the fix ahead of the February 26, 2026 release, you should consider manually applying the changes. Release specific information can be found here: https://wiki.postgresql.org/wiki/2026-02_Regression_Fixes.

Ahead of this release, you can find additional information about the regressions and fixes here: https://wiki.postgresql.org/wiki/2026-02_Regression_Fixes.

Original source

Security Issues

CVE-2026-2003: PostgreSQL oidvector discloses a few bytes of memory: PostgreSQL oidvector discloses a few bytes of memory
CVSS v3.1 Base Score: 4.3
Supported, Vulnerable Versions: 14 - 18.
Improper validation of type oidvector in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
The PostgreSQL project thanks Altan Birler for reporting this problem.

CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code
CVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
The PostgreSQL project thanks Daniel Firer, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2005: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code: PostgreSQL pgcrypto heap buffer overflow executes arbitrary code
CVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
The PostgreSQL project thanks Team Xint Code, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2006: PostgreSQL missing validation of multibyte character length executes arbitrary code: PostgreSQL missing validation of multibyte character length executes arbitrary code
CVSS v3.1 Base Score: 8.8
Supported, Vulnerable Versions: 14 - 18.
Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
The PostgreSQL project thanks Paul Gerste and Moritz Sanft, as part of zeroday.cloud, for reporting this problem.

CVE-2026-2007: PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory: PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory
CVSS v3.1 Base Score: 8.2
Supported, Vulnerable Versions: 18.
Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.
The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Bug Fixes and Improvements

This update fixes over 65 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix inconsistent case-insensitive text matching in the ltree extension. If you use an index on an ltree column, in some cases you may need perform a reindex. See the "Updating" section for additional instructions.
• Executing ALTER TABLE ... ADD CONSTRAINT to add a NOT NULL constraint on a column that already is marked as NOT NULL now requires the constraint name to match the existing constraint name.
• Fix trigger behavior when MERGE is executed from a WITH query to include rows affected by the MERGE.
• Several query planner fixes.
• Fix for text substring search for non-deterministic collations.
• Several fixes for NOTIFY error handling and reporting.
• Use the correct ordering function in GIN index parallel builds.
• Fix incorrect handling of incremental backups with tables larger than 1GB.
• Fail recovery if WAL does not exist back to the redo point indicated by the checkpoint record.
• Fix for ALTER PUBLICATION to ensure event triggers contain all set options.
• Several fixes around replication slot initialization.
• Don't advance replication slot after a logical replication parallel worker apply failure to prevent transaction loss on the subscriber.
• Fix error reporting for SQL/JSON path type mismatches.
• Fix JIT compilation function inlining when using LLVM 17 or later.
• Add new server parameter file_extend_method to control use of posix_fallocate().
• Fix psql tab completion for the VACUUM command options.
• Fix pg_dump to handle concurrent sequence drops gracefully and to fail if the calling user explicitly lacks privileges to read the sequence.
• Several fixes for amcheck around btree inspection.
• Avoid crash in pg_stat_statements when an IN list contains both constants and non-constant expressions.

This release also updates time zone data files to tzdata release 2025c, which only has a historical data change for pre-1976 timestamps in Baja California.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If you have indexes on ltree columns and do not use the libc collation provider, after upgrading to the latest version, you must reindex any ltree column. You can use REINDEX INDEX CONCURRENTLY to minimize the impact on your system.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.

Original source

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23. This release fixes 2 security vulnerabilities and over 50 bugs reported over the last several months.

For the full list of changes, please review the release notes.

PostgreSQL 13 EOL Notice

This is the final release of PostgreSQL 13. PostgreSQL 13 is now end-of-life and will no longer receive security and bug fixes. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2025-12817: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege: PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 18.

Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Jelte Fennema-Nio for reporting this problem.

CVE-2025-12818: PostgreSQL libpq undersizes allocations, via integer wraparound: PostgreSQL libpq undersizes allocations, via integer wraparound

CVSS v3.1 Base Score: 5.9

Supported, Vulnerable Versions: 13 - 18.

Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.

The PostgreSQL project thanks Aleksey Solovev (Positive Technologies) for reporting this problem.

Bug Fixes and Improvements

This update fixes over 50 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 18. Some of these issues may also affect other supported versions of PostgreSQL.

• Avoid returning duplicate rows from hash right semi-joins.
• Avoid possible out-of-memory failures during parallel GIN index build.
• Several fixes for BRIN indexes.
• Fixes for crashes related to partitioned tables, including one occurring during a recheck.
• Avoid duplicating hash partition constraints during DETACH CONCURRENTLY, which previously caused issues during dump/restore or if a parent table is dropped after the DETACH.
• Disallow generated columns in partition keys and in COPY ... FROM ... WHERE clauses.
• Fix incorrect reporting of replication lag in pg_stat_replication view.
• Avoid failures when synchronized_standby_slots references nonexistent replication slots.
• Avoid unwanted WAL receiver shutdown when switching from streaming to archive WAL source.
• Avoid unnecessary invalidation of logical replication slots.
• Correctly handle GROUP BY DISTINCT in PL/pgSQL assignment statements.
• Avoid leaking memory when handling a SQL error within PL/Python.
• Fix how libpq handles socket-related errors on Windows within its GSSAPI logic.
• Fix dumping of non-inherited NOT NULL constraints on inherited table columns.
• Ensure consistent ordering of foreign key constraints in the output of pg_dump.
• Several fixes for pgbench error handling and reporting.
• Fix memory leak in pg_combinebackup.
• Allow nonsuperusers with SELECT privileges on a table to use pg_prewarm to prewarm indexes on that table.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.

Original source

Introducing asynchronous I/O

The PostgreSQL Global Development Group today announced the release of PostgreSQL 18, the latest version of the world's most advanced open source database. Translations of this press release are available in the PostgreSQL 18 press kit.

PostgreSQL 18 improves performance for workloads of all sizes through a new I/O subsystem that has demonstrated up to 3× performance improvements when reading from storage, and also increases the number of queries that can use indexes. This release makes major-version upgrades less disruptive, accelerating upgrade times and reducing the time required to reach expected performance after an upgrade completes. Developers also benefit from PostgreSQL 18 features, including virtual generated columns that compute values at query time, and the database-friendly uuidv7() function that provides better indexing and read performance for UUIDs. PostgreSQL 18 makes it easier to integrate with single-sign on (SSO) systems with support for OAuth 2.0 authentication.

"The efforts of the global open source community shape every PostgreSQL release and help deliver features that meet users where their data resides," said Jonathan Katz, a member of the PostgreSQL core team. "PostgreSQL 18 builds on the project's long, rich history of delivering a reliable and robust data management experience, while continuing to expand the workloads it can support."

PostgreSQL, an innovative data management system known for its reliability, robustness, and extensibility, benefits from nearly 30 years of open source development from a global developer community and has become the preferred open source relational database for organizations of all sizes.

PostgreSQL previously relied on operating system readahead mechanisms to accelerate data retrieval. However, because operating systems lack insight into database-specific access patterns, they cannot always anticipate what data will be required, leading to suboptimal performance in many workloads.

PostgreSQL 18 introduces a new asynchronous I/O (AIO) subsystem designed to address this limitation. AIO lets PostgreSQL issue multiple I/O requests concurrently instead of waiting for each to finish in sequence. This expands existing readahead and improves overall throughput. AIO operations supported in PostgreSQL 18 include sequential scans, bitmap heap scans, and vacuum. Benchmarking has demonstrated performance gains of up to 3x in certain scenarios.

The new io_method setting lets you toggle between the AIO methods, including worker and io_uring, or you can choose to maintain the current PostgreSQL behavior with the sync setting. There are now more parameters to consider tuning with AIO, which you can learn more about in the documentation.

Faster upgrades, better post-upgrade performance

A key PostgreSQL feature is the generation and storage of statistics that help PostgreSQL select the most efficient query plan. Before PostgreSQL 18, these statistics didn't carry over on a major version upgrade, which could cause significant query performance degradations on busy systems until the ANALYZE finished running. PostgreSQL 18 introduces the ability to keep planner statistics through a major version upgrade, which helps an upgraded cluster reach expected performance more quickly after the upgrade.

Additionally, pg_upgrade, a utility that performs major version upgrades, includes several enhancements in PostgreSQL 18, such as faster upgrades when a database contains many objects like tables and sequences. This release also lets pg_upgrade process its checks in parallel based on the settings of the --jobs flag, and adds the --swap flag that swaps upgrade directories instead of copying, cloning, or linking files.

Query and general performance enhancements

PostgreSQL 18 further accelerates query performance with features that automatically make your workloads faster. This release introduces "skip scan" lookups on multicolumn B-tree indexes that improve execution time for queries that omit an = condition on one or more prefix index columns. It can also optimize queries that use OR conditions in a WHERE to use an index, leading to significantly faster execution. There are also numerous improvements for how PostgreSQL plans and executes table joins, from boosting the performance of hash joins to allowing merge joins to use incremental sorts. PostgreSQL 18 also supports parallel builds for GIN indexes, joining B-tree and BRIN indexes in supporting this capability.

This release also builds on PostgreSQL support for hardware acceleration, including support for ARM NEON and SVE CPU intrinsics for the popcount function, which is used by the bit_count and other internal capabilities.

Enhancing the developer experience

PostgreSQL 18 introduces virtual generated columns that compute values at query time instead of storing them. This is now the default option for generated columns. Additionally, stored generated columns can now be logically replicated.

This release adds the capability to access both the previous (OLD) and current (NEW) values in the RETURNING clause for INSERT, UPDATE, DELETE and MERGE commands. PostgreSQL 18 also adds UUIDv7 generation through the uuidv7() function, letting you generate random UUIDs that are timestamp-ordered to support better caching strategies. PostgreSQL 18 includes uuidv4() as an alias for gen_random_uuid().

PostgreSQL 18 adds temporal constraints -- constraints over ranges -- for both PRIMARY KEY and UNIQUE constraints using the WITHOUT OVERLAPS clause, and on FOREIGN KEY constraints using the PERIOD clause.

Finally, PostgreSQL 18 makes it easier to create the schema definition of a foreign table using the definition of a local table with the CREATE FOREIGN TABLE ... LIKE command.

Improved text processing

PostgreSQL 18 makes text processing easier and faster with several new enhancements. This release adds the PG_UNICODE_FAST collation, which provides full Unicode semantics for case transformations while helping to accelerate many comparisons. This includes the upper and lower string comparison functions and the new casefold function for case-insensitive comparisons. Additionally, PostgreSQL 18 now supports making LIKE comparisons over text that uses a nondeterministic collation, simplifying how you can perform more complex pattern matching. This release also changes full text search to use the default collation provider of a cluster instead of always using libc, which may require you to reindex all full text search and pg_trgm indexes after running pg_upgrade.

Authentication and security features

PostgreSQL 18 introduces oauth authentication, which lets users authenticate using OAuth 2.0 mechanisms supported through PostgreSQL extensions. Additionally, PostgreSQL 18 includes validation for FIPS mode, and adds the ssl_tls13_ciphers parameter for configuring server-side TLS v1.3 cipher suites.

This release deprecates md5 password authentication, which will be removed in a future release. If you require PostgreSQL password-based authentication, use SCRAM authentication. PostgreSQL 18 also supports SCRAM passthrough authentication with both postgres_fdw and dblink for authenticating to remote PostgreSQL instances. Additionally, pgcrypto now supports SHA-2 encryption for password hashing.

Replication

PostgreSQL 18 supports reporting logical replication write conflicts in logs and in the pg_stat_subscription_stats view. Additionally, CREATE SUBSCRIPTION now defaults to using parallel streaming for applying transactions, which can help improve performance. The pg_createsubscriber utility now has an --all flag so you can create logical replicas for all databases in an instance with a single command. PostgreSQL 18 also lets you automatically drop idle replication slots to help prevent storing too many write-ahead log files on a publisher.

Maintenance and observability

PostgreSQL 18 improves its vacuum strategy by proactively freezing more pages during regular vacuums, reducing overhead and helping in situations that require aggressive vacuums.

PostgreSQL 18 adds more details to EXPLAIN, which provides information about query plan execution, and as of this release now automatically shows how many buffers (the fundamental unit of data storage) are accessed when executing EXPLAIN ANALYZE. Additionally, EXPLAIN ANALYZE now shows how many index lookups occur during an index scan, and EXPLAIN ANALYZE VERBOSE includes CPU, WAL, and average read statistics. PostgreSQL 18 includes more info in pg_stat_all_tables on time spent on vacuum and related operations, as well as per-connection statistics on I/O and WAL utilization.

Other notable changes

Databases initialized with PostgreSQL 18 initdb now have page checksums enabled by default. This can affect upgrades from non-checksum enabled clusters, which would require you to create a new PostgreSQL 18 cluster with the --no-data-checksums option when using pg_upgrade.

PostgreSQL 18 also introduces a new version (3.2) of the PostgreSQL wire protocol, the first new protocol version since PostgreSQL 7.4 (2003). libpq still uses version 3.0 by default while clients (e.g., drivers, poolers, proxies) add support for the new protocol version.

Additional Features

Many other new features and improvements have been added to PostgreSQL 18 that may also be helpful for your use cases. Please see the release notes for a complete list of new and changed features.

Original source

PostgreSQL Project

The PostgreSQL Global Development Group announces that the first release candidate of PostgreSQL 18 is now available for download. As a release candidate, PostgreSQL 18 RC 1 will be mostly identical to the initial release of PostgreSQL 18, though some more fixes may be applied prior to the general availability of PostgreSQL 18.

The planned date for the general availability of PostgreSQL 18 is September 25, 2025. Please see the "Release Schedule" section for more details.

Upgrading to PostgreSQL 18 RC 1

To upgrade to PostgreSQL 18 RC 1 from earlier versions of PostgreSQL, you will need to use a major version upgrade strategy, e.g.

pg_upgrade

or

pg_dump

/

pg_restore

. For more information, please visit the documentation section on

upgrading

:

https://www.postgresql.org/docs/18/upgrading.html

Changes Since 18 Beta 3

Several bug fixes were applied for PostgreSQL 18 during the Beta 3 period. These include:

• Skip vacuuming virtual generated columns when using
  vacuumdb --missing-stats-only
  .
• Added recommendation on when to reindex full-text search and
  pg_trgm
  indexes after using
  pg_upgrade
  .

For a detailed list of fixes, please visit the

open items

page.

Release Schedule

This is the first release candidate for PostgreSQL 18. Unless an issue is discovered that warrants a delay or to produce an additional release candidate, PostgreSQL 18 should be made generally available on September 25, 2025.

For further information please see the

Beta Testing

page.

Links

• Download
• Beta Testing Information
• PostgreSQL 18 Beta Release Notes
• PostgreSQL 18 Open Issues
• Submit a Bug
• Donate

Original source

PostgreSQL 13 EOL Notice

The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 17.6, 16.10, 15.14, 14.19, and 13.22, as well as the third beta release of PostgreSQL 18. This release fixes 3 security vulnerabilities and over 55 bugs reported over the last several months.

If you previously created a BRIN index using the numeric_minmax_multi_ops operator class, please see the "Updating" section for additional instructions after upgrading your instance.

For the full list of changes, please review the release notes.

PostgreSQL 13 will stop receiving fixes on November 13, 2025. If you are running PostgreSQL 13 in a production environment, we suggest that you make plans to upgrade to a newer, supported version of PostgreSQL. Please see our versioning policy for more information.

Security Issues

CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table

CVSS v3.1 Base Score: 3.1

Supported, Vulnerable Versions: 13 - 17.

PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

The PostgreSQL project thanks Dean Rasheed for reporting this problem.

CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 13 - 17.

Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.

The PostgreSQL project thanks Martin Rakhmanov, Matthieu Denais, and RyotaK for reporting this problem.

CVE-2025-8715: PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 13 - 17.

Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.

The PostgreSQL project thanks Noah Misch for reporting this problem.

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix for BRIN indexes using the numeric_minmax_multi_ops operator class that could cause them to become bloated and inefficient. Please see the "Updating" section for instructions on how to fix these indexes.
• Several fixes for logical replication, including fixes for memory allocation failure, duplicate transaction replay, infinite wait, unexpected shutdown, and a standby unable to shutdown.
• Fix premature removal of old WAL during a checkpoint, which could impact recovery when using replication slots.
• Revert a change that could reject XML documents over 10MB in size.
• Fix how nested character classes (e.g. [[:alpha:]%_]) are handled in SIMILAR TO expressions.
• Restore the ability for PL/pgSQL expressions to use parallel execution.
• Avoid a rare scenario where a B-tree index could modify the wrong entry.
• Several fixes for MERGE, including incorrect query results with concurrency and when targeting a table that is a parent in an inheritance hierarchy.
• Fix LZ4 decompression failure that could occur on data that is not very compressible.
• Prevent an infinite loop in checkpoints on systems with very large shared_buffers settings.
• Fix issues with GSSAPI authentication when using Active Directory accounts with many group memberships. This release also fixes timing-dependent connection failures when using SSL or GSSAPI encryption in non-blocking mode.
• Fix a crash in libpq function PQcancelCreate().
• Fix several resource leaks.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

If you have any BRIN indexes that use the numeric_minmax_multi_ops operator class, it is advisable to REINDEX them after updating to fix any potential bloating and inefficiency.

Users who have skipped one or more update releases may need to run additional post-update steps; please see the release notes from earlier versions for details.

For more details, please see the release notes.

A Note on the PostgreSQL 18 Beta

This release marks the third beta release of PostgreSQL 18 and puts the community one step closer to general availability tentatively around September/October 2025.

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 18 on your systems to help us eliminate bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 3 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

Your testing and feedback helps the community ensure that PostgreSQL 18 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:

https://www.postgresql.org/developer/beta/

Upgrading to PostgreSQL 18 Beta 3

To upgrade to PostgreSQL 18 Beta 3 from an earlier version of PostgreSQL, you will need to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump/pg_restore). For more information, please visit the documentation section on upgrading.

Changes Since Beta 2

Fixes and changes in PostgreSQL 18 Beta 3 include:

• Fix for performance regression in trivial queries.
• Fix "can't get cancellation key" error observed with some additional software.
• Fix for background workers failing to restart after crashes.
• Fix a rare asynchronous I/O failure.
• Stop dumping excess objects in pg_dumpall --statistics-only and --no-schema.
• Remove pg_dumpall non-text output file formats.
• Fix date_trunc(..., 'infinity'::timestamptz) on 32-bit systems.

Please see the release notes for a complete list of new and changed features:

https://www.postgresql.org/docs/18/release-18.html

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 18. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Beta Schedule

This is the third beta release of version 18. The PostgreSQL Project will release one or more release candidates, before the final release around September/October 2025. For further information please see the Beta Testing page.

Links

• Download
• Release Notes
• Security
• Versioning Policy
• Beta Testing Information
• PostgreSQL 18 Beta Release Notes
• PostgreSQL 18 Open Issues
• Submit a Bug
• Donate

If you have corrections or suggestions for this release announcement, please send them to the [email protected] public mailing list.

Original source

PostgreSQL Project

The PostgreSQL Global Development Group announces that the second beta release of PostgreSQL 18 is now available for download. This release contains previews of all features when PostgreSQL 18 is made generally available, though some details of the release can change during the beta period.

You can find information about all of the PostgreSQL 18 features and changes in the release notes:

https://www.postgresql.org/docs/18/release-18.html

In the spirit of the open source PostgreSQL community, we strongly encourage you to test the new features of PostgreSQL 18 on your systems to help us eliminate bugs and other issues. While we do not advise you to run PostgreSQL 18 Beta 2 in production environments, we encourage you to find ways to run your typical application workloads against this beta release.

Your testing and feedback helps the community ensure that PostgreSQL 18 upholds our standards of delivering a stable, reliable release of the world's most advanced open source relational database. Please read more about our beta testing process and how you can contribute:

https://www.postgresql.org/developer/beta/

Upgrading to PostgreSQL 18 Beta 2

To upgrade to PostgreSQL 18 Beta 2 from an earlier version of PostgreSQL, you will need to use a strategy similar to upgrading between major versions of PostgreSQL (e.g. pg_upgrade or pg_dump / pg_restore). For more information, please visit the documentation section on upgrading.

Changes Since Beta 1

Fixes and changes in PostgreSQL 18 Beta 2 include:

• Add support for prepared statements in squashing lists in query jumbling.
• Fix for foreign key validation on partitioned tables.
• Remove pg_get_process_memory_contexts() function.
• Several fixes for injection point testing to support testing AIO.
• Fix pg_dump for tables with complex names.
• Fix for statement location calculation for nested statements.
• Fix for upgrades from PostgreSQL 14 when the number of rows in a table is unknown.
• Fix stack overflow for OAuth parsers.
• Set pg_dump and pg_dumpall default behavior to use --no-statistics. Leave the default for pg_restore and pg_upgrade to be --with-statistics.
• Ensure LOAD $libdir/ works.
• Improvements for GIN amcheck.
• Remove PQservice() from libpq.

Please see the release notes for a complete list of new and changed features:

https://www.postgresql.org/docs/18/release-18.html

Testing for Bugs & Compatibility

The stability of each PostgreSQL release greatly depends on you, the community, to test the upcoming version with your workloads and testing tools to find bugs and regressions before the general availability of PostgreSQL 18. As this is a Beta, minor changes to database behaviors, feature details, and APIs are still possible. Your feedback and testing will help determine the final tweaks on the new features, so please test in the near future. The quality of user testing helps determine when we can make a final release.

A list of open issues is publicly available in the PostgreSQL wiki. You can report bugs using this form on the PostgreSQL website:

https://www.postgresql.org/account/submitbug/

Beta Schedule

This is the second beta release of version 18. The PostgreSQL Project will release additional betas as required for testing, followed by one or more release candidates, until the final release around September/October 2025. For further information please see the Beta Testing page.

Links

• Download
• Beta Testing Information
• PostgreSQL 18 Beta Release Notes
• PostgreSQL 18 Open Issues
• Submit a Bug
• Donate

Original source