Improper Authentication in Postgresql JDBC Driver - CVE-2025-49146
Published: July 4, 2025
Vulnerability identifier: #VU112166
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-49146
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PostgreSQL Global Development Group
Affected software:
Postgresql JDBC Driver
Postgresql JDBC Driver
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). A remote attacker can intercept connections that users believed were protected by channel binding requirements.
How to mitigate CVE-2025-49146
Install updates from vendor's website.