CVE-2026-41889 Overview
CVE-2026-41889 is a SQL injection vulnerability in pgx, a widely used PostgreSQL driver and toolkit for Go. The flaw affects versions prior to 5.9.2 and is triggered only under a narrow combination of conditions involving the non-default simple protocol and dollar-quoted string literals. When an attacker controls a placeholder value embedded inside such a literal, that value can be interpreted as a SQL placeholder outside the string context, enabling query manipulation. The maintainers shipped the fix in pgx version 5.9.2.
Critical Impact
Attackers with control over placeholder input can inject SQL fragments when applications use the simple protocol together with dollar-quoted string literals, leading to query tampering [CWE-89].
Affected Products
- github.com/jackc/pgx/v5 prior to version 5.9.2
- Go applications using pgx with the non-default simple protocol enabled
- Queries containing dollar-quoted string literals with attacker-controlled placeholder values
Discovery Timeline
- 2026-05-08 - CVE-2026-41889 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41889
Vulnerability Analysis
The pgx driver supports two PostgreSQL wire protocols: the extended protocol, which is the default, and the simple protocol, which clients can opt into. The extended protocol sends parameters separately from the SQL text, preventing classic injection. The simple protocol, by contrast, requires pgx to interpolate parameter values into the SQL string client-side before sending the statement to PostgreSQL.
The vulnerability stems from how pgx parses dollar-quoted string literals during this client-side interpolation. PostgreSQL dollar quoting uses delimiters such as $tag$ ... $tag$ to enclose string content. When a query contains a dollar-quoted literal, pgx must skip placeholder substitution inside that literal. The pre-5.9.2 parser failed to correctly identify all placeholder-like tokens within these literals, causing some $N sequences inside the dollar-quoted region to be treated as parameter placeholders.
Root Cause
The root cause is incorrect lexing of dollar-quoted string literals in the simple protocol query sanitizer. When a dollar-quoted body contains text resembling a placeholder reference, the sanitizer substitutes the supplied parameter value at that position. If the attacker controls that parameter value, the injected content escapes the intended string context and is parsed as SQL by the server.
Attack Vector
Exploitation requires a specific combination of preconditions. The application must use the simple protocol, the query must include a dollar-quoted string literal, that literal must contain text matching the placeholder syntax, and the attacker must control the corresponding placeholder value. Under these conditions, the attacker submits payloads that, after interpolation, break out of the dollar-quoted region and append arbitrary SQL clauses. See the GitHub Security Advisory GHSA-j88v-2chj-qfwx for technical details.
Detection Methods for CVE-2026-41889
Indicators of Compromise
- Unexpected SQL statements in PostgreSQL server logs originating from application connections using the simple protocol
- Database errors referencing unterminated dollar-quoted strings or unexpected tokens following user input
- Application logs showing query failures correlated with placeholder values containing $ characters or dollar-quote tags
Detection Strategies
- Inventory Go projects for github.com/jackc/pgx dependencies and flag any version below 5.9.2 using go list -m all or software composition analysis tooling
- Review application code for explicit use of the simple protocol, typically via PreferSimpleProtocol or default_query_exec_mode=simple_protocol configuration
- Audit SQL queries for dollar-quoted string literals that interpolate user-supplied parameter values
Monitoring Recommendations
- Enable PostgreSQL log_statement = 'all' in non-production environments to capture query shapes used by the application
- Forward database and application logs to a centralized analytics platform to correlate anomalous SQL patterns with user input
- Alert on parse errors in PostgreSQL logs that reference dollar-quote delimiters, which often indicate injection attempts
How to Mitigate CVE-2026-41889
Immediate Actions Required
- Upgrade github.com/jackc/pgx/v5 to version 5.9.2 or later across all Go services
- Identify code paths that opt into the simple protocol and confirm whether they are required
- Sanitize or strictly validate any user-controlled values that flow into queries containing dollar-quoted string literals
Patch Information
The maintainers fixed the parser in pgx5.9.2. The corrected dollar-quote handling is included in the GitHub Commit Update and shipped via the GitHub Release v5.9.2. After upgrading, run go mod tidy and rebuild all affected binaries.
Workarounds
- Switch affected queries to the default extended protocol, which sends parameters separately and is not affected by this issue
- Remove dollar-quoted string literals from queries that mix with user-supplied placeholder values, using standard single-quoted strings instead
- Apply allow-list input validation to placeholder values to reject characters such as $ that participate in dollar-quote syntax
# Upgrade pgx to the patched release
go get github.com/jackc/pgx/v5@v5.9.2
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
