Skip to content

SQL Injection via placeholder confusion with dollar quoted string literals

Moderate
jackc published GHSA-j88v-2chj-qfwx Apr 19, 2026

Package

gomod github.com/jackc/pgx (Go)

Affected versions

< 5.9.2

Patched versions

5.9.2

Description

Impact

SQL injection can occur when:

  1. The non-default simple protocol is used.
  2. A dollar quoted string literal is used in the SQL query.
  3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal.
  4. The value of that placeholder is controllable by the attacker.

e.g.

attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)

This is unlikely to occur outside of a contrived scenario.

Patches

The problem is resolved in v5.9.2.

Workarounds

Do not use the simple protocol to execute queries matching all the above conditions.

Severity

Moderate

CVE ID

CVE-2026-41889

Weaknesses

No CWEs