This vulnerability arises from symlink following behavior in PostgreSQL's pg_basebackup (plain format) and pg_rewind tools. An origin superuser can exploit this to overwrite arbitrary local files on the database server, including critical files like .bashrc, potentially compromising the operating system account. The attack's practical effect requires that the attacker perform relevant actions between executing these commands and restarting the PostgreSQL server, as the server trusts the origin superuser implicitly after these operations. Affected versions include PostgreSQL releases before 18.4, 17.10, 16.14, 15.18, and 14.23. The CVSS v3.1 score is 8.8, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability.

Successful exploitation allows an origin superuser to overwrite local files on the PostgreSQL server, such as /var/lib/postgres/.bashrc, which can lead to hijacking the operating system account. This compromises confidentiality, integrity, and availability of the system. However, the attack requires user interaction and specific timing between the backup/rewind commands and server restart, limiting its practical exploitation scenarios.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid actions that involve moving or snapshotting files between pg_basebackup or pg_rewind execution and server restart. Monitoring PostgreSQL vendor advisories for updates and applying patches promptly when released is recommended.