article Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability in Official Support Articles

Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Nick_Asilo — Thu, 08 May 2025 14:11:44 GMT

PostgreSQL has identified a vulnerability (CVE-2025-1094) that allows for SQL injection under certain scenarios. For more information, see CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation.

Resolution

To allow for quick mitigation of PostgreSQL vulnerabilities, Qlik offers the ability to run and manage your own PostgreSQL instance independently of what Qlik Sense Enterprise on Windows is shipped with. This allows for direct control of your PostgreSQL instance and facilitates maintenance without a dependency on Qlik Sense. Further Database upgrades can then be performed independently and in accordance with your corporate security policy when needed, as long as you remain within the supported PostgreSQL versions.

Recommendations

Upgrade to Qlik Sense Enterprise on Windows May 2025 IR

Qlik Sense Enterprise on Windows May 2025 IR includes PostgreSQL 14.17 in its installer. See the System Requirements for details.

Upgrade PostgreSQL

If you have already installed a standalone PostgreSQL database, or if you have used the Qlik PostgreSQL Installer (QPI) to upgrade and decouple your previously bundled database, then you can upgrade PostgreSQL at any time. This means you control maintenance and can immediately react to potential PostgreSQL security concerns by upgrading to a later service release or a later major version.

See Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL.

Verify your Qlik Sense Enterprise on Windows version's System Requirements before committing to a PostgreSQL version.

Unbundle and upgrade PostgreSQL using QPI

If you have not yet installed a standalone PostgreSQL instance, this is the preferred method to gain direct control to upgrade at your own pace. For instructions, see Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer.

Manually switch to a dedicated PostgreSQL database

An alternative method to migrate to a standalone PostgreSQL instance is available in How to configure Qlik Sense to use a dedicated PostgreSQL database.

Internal Investigation ID(s)

SUPPORT-896

Environment

Qlik Sense Enterprise on Windows

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Stephanus — Wed, 26 Feb 2025 05:52:15 GMT

Good day.

I went through your article as well as logging a support call but how can we do the above if you are unable to unbundle the Repository Database? QPI does not run if your database is already on 14.8 especially with clients that has been installed recently as well as new clients.

Will it be possible to provide guidance for databases that is unable to use QPI?

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Sonja_Bauernfeind — Wed, 26 Feb 2025 07:18:41 GMT

Hello @Stephanus

Does this help? How to manually upgrade the bundled Qlik Sense PostgreSQL version

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Stephanus — Wed, 26 Feb 2025 09:59:35 GMT

Hi @Sonja_Bauernfeind

Thanks for reaching out to me.

The article that you provided does not show a way to upgrade the bundled version using a higher version than 14.8. The article above is referring to that version having the vulnerability.

The above is one of the scenarios that I have tested and you are still unable to upgrade 14.8 - 14.17 as it is still bundled and requires to be unbundled for the upgrade to occur in Postgres. Qlik November 2024 is still bundled with Postgres 14.8. I haven`t tested Feb 2025 as it is not out yet.

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Sonja_Bauernfeind — Wed, 26 Feb 2025 11:55:30 GMT

Hello @Stephanus

Let me reach out to my subject matter experts!

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Sonja_Bauernfeind — Wed, 26 Feb 2025 13:31:15 GMT

Hello @Stephanus

Thank you for your feedback! This was helpful since it allowed me to clarify the article better. And, yes, I did link the wrong article to you on the first pass. I misunderstood the request.

So, here is what your path should look like:

You first need to switch to a standalone PostgreSQL instance. Now, if you cannot use QPI, the second method listed is what we have available: How to configure Qlik Sense to use a dedicated PostgreSQL database
And from there on out you can continue with upgrading at your leisure: Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Marco-Silva — Wed, 26 Feb 2025 14:54:03 GMT

Hello @Sonja_Bauernfeind

I am hoping that you can assist me with a question.

Postgres is part of Qlik, which is installed on our servers behind the Azure firewall. This vulnerability relates to Postgres which is installed on the Qlik server, as mentioned.

Our main question is whether this vulnerability can be exploited via the Qlik frontend, which we have exposed to the internet through port 443 for our customers to be able to access the dashboards, or if it applies only to customers who will have PostgreSQL publicly accessible?

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Nick_Asilo — Wed, 26 Feb 2025 15:35:40 GMT

@Marco-Silva our security team is still assessing this vulnerability and has not released any public statements or decisions at the time of this post. You can find details of the vulnerability posted by Postgres here

Limiting access to the backend is always the first step in security, though this again only limits access and does not resolve the vulnerability. There has been no confirmation that this vulnerability is exploitable through port 443, but as stated this is still being assessed and I would advise taking the steps above to adopt the released fix and remove any chance

Best Regards,
Nick

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Stephanus — Thu, 27 Feb 2025 08:12:13 GMT

Hi Sonja

Thank you very much for the articles and this will be very insightful.

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

oehmemat — Mon, 03 Mar 2025 08:39:22 GMT

Hello @Sonja_Bauernfeind,

will the bundled PostgreSQL Version be updated or patched via the regular QlikSense Updates at some point and if so, is there a timeline? We would like to keep the bundled version.

Kind Regards

Matthias

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Stephanus — Fri, 07 Mar 2025 10:18:45 GMT

Hi @Sonja_Bauernfeind

I see that Feb 2025 is out. Does that installer still have Postgres 14.8 embedded?

If so it does mean that the new installer has the vulnerability embedded already which can cause an issue for new installs as the QPI does not works with version Nov 2023 or later

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Nick_Asilo — Fri, 07 Mar 2025 13:35:04 GMT

The QPI toll is not the only way to unbundle the database, as pointed out previously, if you cannot use QPI, the second method listed is what we have available: How to configure Qlik Sense to use a dedicated PostgreSQL database

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Sonja_Bauernfeind — Fri, 07 Mar 2025 14:38:12 GMT

Hello @Stephanus

Qlik Sense Enterprise on Windows has a release cadence of May and November. See Release Cadence Update: Qlik Sense Enterprise Client-Managed.

As for what versions of PostgreSQL come bundled, you will be able to see this in the System Requirements for the relevant release.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Sonja_Bauernfeind — Thu, 08 May 2025 13:45:06 GMT

Hello @oehmemat

May 2025 IR was released yesterday. It includes PostgreSQL 14.17. See the System Requirements for details.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

sten_still — Wed, 11 Mar 2026 07:34:51 GMT

Hello,

Im running on QlikSense Feb2024 with Patch 17 on single node with postgreSQL 14.17.

Recently my cybersec team detection for the vulnerable on

"PostgreSQL Multiple Security Vulnerabilities (CVE-2025-8713,CVE-2025-8714,CVE-2025-8715)"

The advice given is to upgrade to the latest version, when tested in the Non-prod environment for postgreSQL 14.19 manually. QlikSense seems not working.

Will upgrade the QlikSense to the May2025 solving the vulnerability test ?

Thank you.

BR,

Amir

article Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability in Official Support Articles

Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Resolution

Recommendations

Upgrade to Qlik Sense Enterprise on Windows May 2025 IR

Upgrade PostgreSQL

Unbundle and upgrade PostgreSQL using QPI

Manually switch to a dedicated PostgreSQL database

Related Content

Internal Investigation ID(s)

Environment

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Re: Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability