Incorrect Implementation of Authentication Algorithm Affecting org.postgresql:postgresql package, versions [,42.7.12)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.24% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGPOSTGRESQL-17874248
  • published7 Jul 2026
  • disclosed6 Jul 2026
  • creditKeijo Tuominen

Introduced: 6 Jul 2026

NewCVE-2026-54291  (opens in a new tab)
CWE-303  (opens in a new tab)

How to fix?

Upgrade org.postgresql:postgresql to version 42.7.12 or higher.

Overview

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm in the ScramAuthenticator class, which fails open by confirming only that the server advertised a -PLUS mechanism while neither rejecting an empty channel binding nor verifying that the negotiated mechanism actually uses channel binding. An attacker intercepting the TLS connection can strip the MitM protection that channelBinding=require is meant to guarantee, downgrading authentication from SCRAM-SHA-256-PLUS to plain SCRAM-SHA-256, by presenting a certificate with a signature algorithm such as Ed25519, Ed448, or a post-quantum scheme that makes the bundled scram-client return an empty binding instead of failing. This affects only connections that explicitly set channelBinding=require, since the default prefer policy documents fallback as expected behavior.

Workaround

This vulnerability can be avoided by configuring the connection with sslmode=verify-full and a restrictive truststore, which provides equivalent MitM protection independent of channel binding.

CVSS Base Scores

version 4.0
version 3.1