Teleport Database Service Patches Critical PostgreSQL pgx Vulnerability (GO-2026-4518/CVE-2026-4427)

A critical vulnerability in the pgx PostgreSQL driver, which could allow a compromised database server to crash the Teleport Database Service, has been patched. The security flaw, tracked as GO-2026-4518 and CVE-2026-4427, involved a malformed message from a PostgreSQL server triggering a crash in the connecting service. This forced a major dependency upgrade, with the Teleport engineering team migrating the entire Database Service from pgx version 4 to the newer, patched pgx v5 to remediate the risk.

The core of the issue was a server-side attack vector: a malicious or compromised PostgreSQL instance could send a specially crafted message to a Teleport Database Service client, causing it to crash. This is a significant threat to availability in environments where Teleport manages secure access to PostgreSQL databases. The migration to pgx v5 was the necessary fix, requiring comprehensive testing to ensure all database connectivity functions remained stable post-upgrade.

The manual test plan, executed on the `steve-beams.cloud.gravitational.io` environment, underscores the operational breadth of the change. Engineers validated core functionalities including standard `tsh db connect` operations, query cancellation, DAC (Dynamic Access Controls) connections and scans, and backend health checks. This patch highlights the ongoing security maintenance required in infrastructure access layers, where a single dependency vulnerability can directly impact the stability of critical secure access pathways.