Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2026-42198
- Dependency Name: postgresql JDBC
- Affected Version of Dependency: 42.2.0 – 42.7.10
- Severity Score: 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
DPGW version with affect versions of dependencies
- <= 1.13.20-REL
- <= 1.12.45-REL
Risk Assessment & Applicability
Usage
DPGW uses postgresql JDBC driver to connect to the database.
Analysis
CVE-2026-0636
CVE-2026-42198 is a client-side Denial of Service (DoS) vulnerability in the PostgreSQL JDBC Driver (pgjdbc). It occurs during the SCRAM-SHA-256 authentication handshake.Mechanism: A malicious server can send a “server-first-message” containing an extremely high iteration count for the PBKDF2 function (e.g., millions or billions of iterations). The client will attempt to compute this hash, consuming 100% of a CPU core for an unbounded amount of time. This can freeze connection pools and hang the application.
Because DPGW does not connect to arbitrary, user-supplied, or untrusted external database URLs, a direct “malicious server” attack from the outside is impossible. An attacker cannot simply provide a URL to their own server to trigger the DoS.
Status
Not affected
Impact on DPGW
No impact when using localhost only DB connections or connecting to trusted servers.
Remediation & Mitigations
User Actions
Do not configure DPGW against untrusted PostgreSQL database servers