High-risk tools in Postgresql
6 of the 25 tools in Postgresql are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
analyzeTableExecuteRun ANALYZE on a table to update query planner statistics. This helps PostgreSQL choose optimal query plans. Run after large data changes (bulk imports, mass updates/deletes).
-
cancelQueryExecuteCancel a running query by its process ID (PID). Use getActiveQueries first to find the PID. This sends a cancel signal — the query may take a moment to actually stop. Does NOT t...
-
executeDDLExecuteExecute a DDL statement (CREATE TABLE, ALTER TABLE, DROP TABLE, etc.). Dangerous operations like DROP DATABASE, user management, and privilege changes are always blocked for saf...
-
executeQueryExecuteExecute a read-only SQL query (SELECT, WITH...SELECT). The query is validated to ensure it doesn
-
executeSqlExecuteExecute an arbitrary SQL statement that is NOT DDL (no CREATE, ALTER, DROP). Supports SELECT, INSERT, UPDATE, DELETE, and other DML operations. DDL statements require admin priv...
-
explainQueryExecuteGet the execution plan for a SQL query using EXPLAIN. Optionally run EXPLAIN ANALYZE to get actual execution statistics (this executes the query). Useful for optimizing query pe...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.