PostgreSQL 18.x — End of Life
Active High risk EOL: Nov 14, 2030in 1619d1 release in this series11 CVEs
PostgreSQL 18.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 18 | Sep 25, 2025 | — | Nov 14, 2030 | 18.4 | Active |
CVEs affecting PostgreSQL 18.x (11)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-6475 | HIGH | 8.8 | 0.05% | — | 18 | Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite loca… | May 14, 2026 |
| CVE-2026-6473 | HIGH | 8.8 | 0.07% | — | 18 | Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to un… | May 14, 2026 |
| CVE-2026-6637 | HIGH | 8.8 | 0.04% | — | 18 | Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as th… | May 14, 2026 |
| CVE-2026-6477 | HIGH | 8.8 | 0.05% | — | 18 | Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lsee… | May 14, 2026 |
| CVE-2026-6479 | HIGH | 7.5 | 0.02% | — | 18 | Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX … | May 14, 2026 |
| CVE-2026-6476 | HIGH | 7.2 | 0.03% | — | 18 | SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitra… | May 14, 2026 |
| CVE-2026-6478 | MEDIUM | 6.5 | 0.08% | — | 18 | Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover us… | May 14, 2026 |
| CVE-2026-6472 | MEDIUM | 5.4 | 0.03% | — | 18 | Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to… | May 14, 2026 |
| CVE-2026-6575 | MEDIUM | 4.3 | 0.03% | — | 18 | Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which cau… | May 14, 2026 |
| CVE-2026-6474 | MEDIUM | 4.3 | 0.03% | — | 18 | Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server… | May 14, 2026 |
| CVE-2026-6638 | LOW | 3.7 | 0.02% | — | 18 | SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table cre… | May 14, 2026 |
Frequently asked questions
Is PostgreSQL 18 end of life?
No. PostgreSQL 18.x is still supported until November 14, 2030. It continues to receive security patches and bug fixes.
What CVEs affect PostgreSQL 18?
There are 11 CVEs tracked for PostgreSQL 18.x. See the full list above with CVSS and EPSS scores.
What is the latest PostgreSQL 18 version?
The latest PostgreSQL 18.x patch release is 18.4, released on May 11, 2026. Always run the latest patch to benefit from all security fixes.
When was PostgreSQL 18 first released?
PostgreSQL 18.0 was initially released on September 25, 2025. See the full version timeline in the table above.
Is it safe to run PostgreSQL 18 in production?
PostgreSQL 18 is still supported and safe for production use until November 14, 2030. Ensure you are running the latest patch version (18.4) to have all security fixes applied.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA