PostgreSQL 13.x — End of Life
EOL High riskPostgreSQL 13.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 13 | Sep 24, 2020 | — | Nov 13, 2025 | 13.23 | EOL |
CVEs affecting PostgreSQL 13.x (8)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-6637 | HIGH | 8.8 | 0.04% | — | 13 | Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th… | May 14, 2026 |
| CVE-2026-6473 | HIGH | 8.8 | 0.07% | — | 13 | Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un… | May 14, 2026 |
| CVE-2026-6475 | HIGH | 8.8 | 0.05% | — | 13 | Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca… | May 14, 2026 |
| CVE-2026-6477 | HIGH | 8.8 | 0.05% | — | 13 | Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee… | May 14, 2026 |
| CVE-2026-6479 | HIGH | 7.5 | 0.02% | — | 13 | Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX … | May 14, 2026 |
| CVE-2026-6478 | MEDIUM | 6.5 | 0.08% | — | 13 | Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us… | May 14, 2026 |
| CVE-2026-6472 | MEDIUM | 5.4 | 0.03% | — | 13 | Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to… | May 14, 2026 |
| CVE-2026-6474 | MEDIUM | 4.3 | 0.03% | — | 13 | Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server… | May 14, 2026 |
PostgreSQL 13.x is EOL — migrate to PostgreSQL 14.x
PostgreSQL 14.x is the next major release. Plan your upgrade before PostgreSQL 13.x stops receiving security patches.
Frequently asked questions
Is PostgreSQL 13 end of life?
Yes. All PostgreSQL 13.x releases have reached end of life and no longer receive security patches. There are 8 known CVEs affecting PostgreSQL 13.x. Migrate to PostgreSQL 14.x as soon as possible.
What CVEs affect PostgreSQL 13?
There are 8 CVEs tracked for PostgreSQL 13.x. See the full list above with CVSS and EPSS scores.
What is the latest PostgreSQL 13 version?
The latest PostgreSQL 13.x patch release is 13.23, released on November 10, 2025. Always run the latest patch to benefit from all security fixes.
How to migrate from PostgreSQL 13 to PostgreSQL 14?
To migrate from PostgreSQL 13 to PostgreSQL 14: (1) review the official PostgreSQL 14 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run PostgreSQL 13 in production?
No. PostgreSQL 13 has reached end of life and security vulnerabilities are no longer patched. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA