CVE-2024-10976
CVE-2024-10976 is a medium-severity vulnerability in Postgresql with a CVSS 3.x base score of 4.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1250.
Key facts
- Severity: Medium (CVSS 3.x base score 4.2)
- EPSS exploit prediction: 1% (52nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-33374
- Weakness: CWE-1250
- Affected product: Postgresql
- Published:
- Last modified:
Description
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Frequently asked questions
- What is CVE-2024-10976?
- Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
- How severe is CVE-2024-10976?
- CVE-2024-10976 has a CVSS 3.x base score of 4.2, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2024-10976 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (52nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-10976?
- CVE-2024-10976 affects Postgresql. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-10976?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-10976 have an EU (EUVD) identifier?
- Yes. CVE-2024-10976 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-33374.
- When was CVE-2024-10976 published?
- CVE-2024-10976 was published on 2024-11-14 and last updated on 2026-06-17.
References
- https://www.postgresql.org/support/security/CVE-2024-10976/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html
- https://security.netapp.com/advisory/ntap-20250509-0010/
Affected products (1)
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
More vulnerabilities in Postgresql
- CVE-2013-1903 — Critical (CVSS 10.0): PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before…
- CVE-2013-1902 — Critical (CVSS 10.0): PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23…
- CVE-2007-3279 — Critical (CVSS 10.0): PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql) language has been created, grants certain…
- CVE-2002-1399 — Critical (CVSS 10.0): Unknown vulnerability in cash_out and possibly other functions in PostgreSQL 7.2.1 and earlier, and possibly later…
- CVE-2015-0244 — Critical (CVSS 9.8): PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not…
- CVE-2015-3166 — Critical (CVSS 9.8): The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7,…
All CVEs affecting Postgresql →
Other CWE-1250 vulnerabilities
- CVE-2025-30189 — High (CVSS 7.4): When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached…
- CVE-2023-22405 — Medium (CVSS 6.5): An Improper Preservation of Consistency Between Independent Representations of Shared State vulnerability in the Packet…
- CVE-2022-22234 — Medium (CVSS 5.5): An Improper Preservation of Consistency Between Independent Representations of Shared State vulnerability in the Packet…
- CVE-2025-32899 — Medium (CVSS 4.3): In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair.…