CVE-2024-10976

Description

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

CVSS v3.1 Score

4.2

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Weakness Type (CWE)

CWE-1250 CWE-1250

Affected Products

Vendor	Product	Versions
postgresql	postgresql	12.0 — 12.21
postgresql	postgresql	13.0 — 13.17
postgresql	postgresql	14.0 — 14.14
postgresql	postgresql	15.0 — 15.9
postgresql	postgresql	16.0 — 16.5
postgresql	postgresql	17.0 — 17.1

References

Advisories & Patches

https://www.postgresql.org/support/security/CVE-2024-10976/

Other References

https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html https://security.netapp.com/advisory/ntap-20250509-0010/

Frequently Asked Questions

What is CVE-2024-10976? +

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. It has a CVSS v3.1 base score of 4.2 (MEDIUM).

How severe is CVE-2024-10976? +

CVE-2024-10976 has a CVSS v3.1 score of 4.2 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2024-10976? +

CVE-2024-10976 affects products from postgresql, specifically: postgresql. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-10976? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-30189 7.4

When cache is enabled, some passdb/userdb drivers incorrectly cache all users with same cache key, causing wrong cached information to …

CVE-2025-32899 4.3

In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, …

CVE-2024-1597 10.0

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In …

CVE-2024-7348 8.8

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the …

CVE-2024-10979 8.8

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. …

CVE-2026-6475 8.8

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, …