CVE-2026-41889: pgx: SQL Injection via placeholder confusion with dollar quoted string literals

April 22, 2026 (updated April 30, 2026)

SQL Injection can occur when:

The non-default simple protocol is used.
A dollar quoted string literal is used in the SQL query.
That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

References

github.com/advisories/GHSA-j88v-2chj-qfwx
github.com/jackc/pgx
github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da
github.com/jackc/pgx/releases/tag/v5.9.2
github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx
nvd.nist.gov/vuln/detail/CVE-2026-41889

Code Behaviors & Features

Detect and mitigate CVE-2026-41889 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →