Datastore News
  1. Home
    2.  » 
  2. Datastore Technologies
    3.  » 
  3. Postgres
    4.  » 

Postgres Weekly — 2026-05, Week 20

#Postgres
#security
#partitioning
#performance

Editor’s Note

This week’s Postgres landscape is defined by two converging threads: a significant security reckoning in the May 2026 coordinated release cycle, and a wave of architectural work — from partition management redesign to copy-on-write sandbox cloning — that reflects the growing operational demands placed on production Postgres deployments. Together they make a strong case for treating both upgrade cadence and extension hygiene as first-class engineering concerns.

Top Stories

PostgreSQL 19 Revisits PARTITION MERGE and SPLIT With a Safer Locking Model

PostgreSQL 19 is reintroducing MERGE PARTITIONS and SPLIT PARTITION commands, this time with a redesigned locking model intended to address the correctness and safety concerns that accompanied the first attempt. For teams managing large partitioned tables in production — particularly those currently navigating CloudNativePG migration paths from PG 17 to PG 18 — the locking semantics matter directly: poorly scoped locks on partition operations can stall concurrent OLTP workloads for meaningful durations. The revised approach signals that the PostgreSQL community is treating partition lifecycle management as a production-grade operational concern, not just a DDL convenience. Read more

Two RCE Vulnerabilities Sat Undetected in pgcrypto for Twenty Years

Among the eleven CVEs addressed in the May 14 2026 minor releases, two stand out for their severity and longevity: a pair of remote code execution flaws in pgcrypto’s OpenPGP implementation, one of which is a heap buffer overflow that persisted undetected from at least 2005 until an AI-assisted fuzzer surfaced it in December 2025. Community analysis confirms that a working exploit existed before the coordinated patch landed, and that all supported major versions — PostgreSQL 14 through 18 — were affected. For any deployment with pgcrypto enabled and network-accessible query paths, patching to the May 2026 releases is not discretionary. Read more

Ardent Provisions Copy-on-Write Postgres Clones in Under Six Seconds

Ardent (YC P26) has built a sandbox cloning architecture that combines logical replication, DDL triggers, and Kafka-backed replication streams to produce copy-on-write Postgres clones in under six seconds, even at terabyte scale. The design routes around the physical replication restrictions that prevent this kind of branching on hosted platforms, using Neon as the underlying branching engine while keeping measurable impact on the source production database low. The practical target is AI coding agents and ephemeral test environments that require production-fidelity data without a full platform migration, a gap that has grown more visible as agent-driven development workflows mature. Read more

ClickHouse Analyzes Where Postgres FDW Pushdown Falls Short

ClickHouse has published a detailed breakdown of how predicate and aggregate pushdown decisions are negotiated between the Postgres foreign data wrapper planner and a remote ClickHouse engine. The analysis focuses specifically on the cases where pushdown is declined — due to unsupported expressions, type mismatches, or planner conservatism — and the resulting query performance degradation when full result sets are pulled back to Postgres for local execution. For architects routing analytical workloads across heterogeneous engines via FDW, understanding where the negotiation protocol fails is as important as knowing when it succeeds. Read more

Releases

PostgreSQL 18.4 / 17.10 / 16.14 / 15.18 / 14.23 — Coordinated minor releases issued May 14 2026 address eleven CVEs and more than sixty bugs across all supported major versions; immediate upgrade is warranted given the RCE-class findings. Release announcement

pg_statviz 1.0 — The minimalist time-series statistics and visualization extension for PostgreSQL reaches 1.0 with the addition of AI-powered analysis of collected metrics. Release announcement

pg_duckdb — An extension embedding DuckDB’s analytical query engine directly inside Postgres, enabling high-performance OLAP execution without leaving the Postgres connection layer. GitHub

pg_sorted_heap — A custom table access method that maintains sorted heap storage with zone map scan pruning, targeting workloads where sequential scan performance is the primary constraint. GitHub

Petri — A drop-in Postgres Docker image with a Golang proxy that forks an isolated database per test connection using CREATE DATABASE ... TEMPLATE, dropping the fork automatically on disconnect. GitHub

Security and Compliance

pgcrypto Heap Buffer Overflow and Dual RCE (May 2026 Batch) — The heap buffer overflow in pgcrypto’s OpenPGP implementation, exploitable since at least December 2025, was one of two RCE-class vulnerabilities patched in the May 14 2026 releases; all supported major versions were affected, and community analysis flags the twenty-year exposure window as a benchmark case for the limits of manual code review. Analysis

PostgreSQL May 2026 Eleven-CVE Coordinated Release — The May 2026 release batch covers eleven distinct CVEs spanning PostgreSQL 14 through 18; community pre-release analysis identified the scope by inspecting upstream git logs prior to the coordinated disclosure date. Pre-release analysis

backslash_quote GUC and Its 2006 SQL Injection Origins — The backslash_quote configuration parameter exists as a direct legacy of a 2006 SQL injection vulnerability compounded by multibyte character encoding edge cases; it is retained solely for backward compatibility with non-conforming clients and represents a historical reminder of how encoding assumptions become long-lived attack surface. Read more

Worth Reading

Snowflake, Postgres, Lakebase, HorizonDB — understanding the competitive positioning

pgvector scalar and binary quantization techniques explained

CloudNativePG recipe 24: migrating from Crunchy PGO to PostgreSQL 18

© 2026 datastore.news