pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.
CVE-2026-54291
This medium-severity CVE scores 5.9 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 84% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.9
- EG Score
- 5.9(medium)
- EPSS
- 14.6%
- KEV
- Not listed
Published
July 6, 2026
Last Modified
July 9, 2026
Advisory Details (3)
Auto-updated Jul 6, 2026Silent channel-binding authentication downgrade via unsupported certificate algorithms · Advisory · pgjdbc/pgjdbc · GitHub
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867commit 77df98e4e66c (pgjdbc/pgjdbc)
Patch available: pgjdbc/pgjdbc REL42.7.12 (contains commit 77df98e4e66c)
https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99SCRAM Java 3.3
Patch available: ongres/scram 3.3
https://github.com/ongres/scram/releases/tag/3.3Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 19× in last 7d / 19× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-10 23:58 UTCEG score recompute
- 2026-07-09 23:11 UTCEG score recompute▼ 2.30
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 13:52 UTCNVD updateCVSS v3 → 5.9 · severity → MEDIUM
- 2026-07-09 12:18 UTCEG score recompute
- 2026-07-09 01:27 UTCEG score recompute
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 14:34 UTCEG score recompute
- 2026-07-08 03:42 UTCEG score recompute
- 2026-07-07 16:51 UTCEG score recompute
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 06:00 UTCEG score recompute
- 2026-07-06 19:07 UTCEG score recompute
- 2026-07-06 19:06 UTCMITRE cvelistV5first tracked
Frequently asked(5)
What is CVE-2026-54291?
When was CVE-2026-54291 disclosed?
Is CVE-2026-54291 actively exploited?
What is the CVSS score of CVE-2026-54291?
How do I remediate CVE-2026-54291?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-54291
Is Your Infrastructure Affected by CVE-2026-54291?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.