Check CREATE privilege on multirange type schema in CREATE TYPE. This omission allowed roles to create multirange types in any schema, potentially leading to privilege escalations. Note that when a multirange type name is not specified in CREATE TYPE, it is automatically placed in the range type's schema, which is checked at the beginning of DefineRange().
Reported-by: Jelte Fennema-Nio <[email protected]> Author: Jelte Fennema-Nio <[email protected]> Reviewed-by: Nathan Bossart <[email protected]> Reviewed-by: Tomas Vondra <[email protected]> Security: CVE-2026-6472 Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/8bca85e9ff14fd4c24acd049cf9ff00c304001e4 Author: Nathan Bossart <[email protected]> Modified Files -------------- src/backend/commands/typecmds.c | 7 +++++++ src/test/regress/expected/multirangetypes.out | 16 ++++++++++++++++ src/test/regress/sql/multirangetypes.sql | 16 ++++++++++++++++ 3 files changed, 39 insertions(+)
