Fix SQL injection in logical replication origin checks.

Noah Misch <noah@leadboat.com>

Commit: 248a433cd10759ef968ebed655d19dd1ef129bf6
Author: Noah Misch <noah@leadboat.com>
Date: 2026-05-11T12:13:50Z
Releases: 16.14
Fix SQL injection in logical replication origin checks.

ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolates schema and
relation names into SQL without quoting them.  A crafted subscriber
relation name can inject arbitrary SQL on the publisher.  Test such a
name.  Back-patch to v16, where commit
875693019053b8897ec3983e292acbb439b088c3 first appeared.

Reported-by: Pavel Kohout <pavel.kohout@aisle.com>
Author: Pavel Kohout <pavel.kohout@aisle.com>
Reviewed-by: Nathan Bossart <nathandbossart@gmail.com>
Backpatch-through: 16
Security: CVE-2026-6638

Files