The vulnerability in elixir-ecto postgrex (CVE-2026-32687) is due to improper neutralization of special elements in SQL commands (CWE-89). The channel parameter in Elixir.Postgrex.Notifications' listen/3 and unlisten/3 functions is unsafely interpolated into LISTEN and UNLISTEN SQL statements without escaping double quotes. This enables an attacker with influence over the channel name to inject SQL code by breaking out of the quoted identifier. Because the PostgreSQL simple query protocol accepts multi-statement payloads, attackers can chain additional SQL commands such as DROP TABLE. The vulnerability also affects the handle_connect/1 function when replaying LISTEN commands after reconnecting. Affected versions include postgrex from 0.16.0 before 0.22.2. There is no vendor advisory or patch information currently available.

Successful exploitation allows an attacker who can control the channel argument to execute arbitrary SQL commands on the PostgreSQL database through the notifications connection. This can lead to unauthorized data manipulation or destruction, including executing DDL and DML statements. The vulnerability has a CVSS 4.0 base score of 7.5 (high severity), indicating significant potential impact. There are no known exploits in the wild as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid passing untrusted input to the channel argument in Elixir.Postgrex.Notifications' listen/3, unlisten/3, and handle_connect/1 functions. Implement input validation or sanitization to prevent injection of double quote characters. Monitor vendor channels for updates and apply official patches once released.