[V13]Vulnerable version of PostgreSQL bundled with VSA v13

[TYamamoto]

Dear Veeam R&D Team,

I hope you are doing well.
We would like to inquire about the version of PostgreSQL bundled with the Veeam v13 Software Appliance.

Recently, several PostgreSQL vulnerabilities have been reported with the following CVE IDs:
* CVE-2025-8713
* CVE-2025-8714
* CVE-2025-8715
* CVE-2026-2003
* CVE-2026-2004
* CVE-2026-2005
* CVE-2026-2006

According to the PostgreSQL advisory, the affected versions are PostgreSQL 14 through 18, and the issues are fixed in the following versions:
* 14.21
* 15.16
* 16.12
* 17.8
* 18.2

We checked the PostgreSQL version included in the **Veeam v13 Software Appliance** using Veeam Intelligence, and it appears to be:

`PostgreSQL 17.6 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5), 64-bit`

Since version **17.6** seems to fall within the vulnerable range, we would like to confirm the following:

1. Is Veeam aware of this vulnerability affecting the PostgreSQL version bundled with the v13 Software Appliance?
2. Are there plans to update the embedded PostgreSQL version to **17.8 or later** in a future update or patch of the v13 Software Appliance?

The appliance is currently updated to the latest version via the built-in updater, but the PostgreSQL version does not appear to have been updated.

We would appreciate your guidance on this matter.

Best regards,
Tetsuo

[vnikiforov]

Hello, Tetsuo,

Let me check internally and I will return with the answer.

[HannesK]

Hello,
yes, we are aware and working on a solution.

Best regards
Hannes

[TYamamoto]

Hello,

An update (version 13.0.1.2067) was released on March 12, as described in the following KB article:
https://www.veeam.com/kb4738

Could you please confirm whether this update addresses the PostgreSQL vulnerability CVE-2026-2006 affecting the PostgreSQL version bundled with the Veeam Software Appliance (VSA) v13?

Thank you in advance for your clarification.

Best regards.
Tetsuo

[HannesK]

Hello,
the updates from yesterday are for Veeam software components. Not for Postgres.

Best regards
Hannes

[Marvelmate]

Any updates on this topic please?

This vulnerability is flagged in action1 as a security concern.

[HannesK]

EDIT: the packages were updated some time ago

[HannesK]

update post: my earlier post today was wrong and I edited it... if you update the Veeam Software Appliance to the latest version, then Postgres 17.9 is installed. If not, please let us know the support case number for investigations.

[Marvelmate]

I had already updated to 13.0.1.2067 however the PostgreSQL did not appear to update.

However I was able to follow the guide below using the PostgreSQL 17.9.1 installer from the Veeam ISO.

https://vinfrastructure.it/2026/03/how- ... backup-13/

[HannesK]

Hello,
I cannot follow... this forum thread is about the Veeam Software Appliance and the blog post is about the Windows version. But yes, on Windows you can update Postgres at any time. In future, we will also take care of updating Postgres on Windows when we bring the "Veeam Updater" (exists only on Veeam appliances today) also to Windows. For new installations of V13, we have 17.9 in the ISO.

Best regards
Hannes