More Technical Information Than You Can Handle. 
 

.
 

PostgreSQL JDBC 42.7.12 Security Release

 

Silent channel-binding authentication downgrade (CVE-2026-54291) channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection triggers the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and post-quantum algorithms.
- Download PostgreSQL
- View Press Release
- Visit PostgreSQL

PostgreSQL-Press
Posted: July 5, 2026 |  By: Wissen Schwamm
Recent PostgreSQL-Press related news.
All 44 talks from POSETTE: An Event for Postgres 2026 are available on YouTube
CloudNativePG 1.30.0 Released!
pg_ivm 1.15 released
PostgreSQL JDBC 42.7.12 Security Release
pg_dbms_lock v2.0 has been released
+ View more PostgreSQL-Press related news +