diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 876969ef9bb57..d9cdce006f731 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -26,6 +26,7 @@ let
     optionalString
     types
     versionAtLeast
+    warn
     ;
 
   cfg = config.services.postgresql;
@@ -484,10 +485,18 @@ in
 
     services.postgresql.package = let
         mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
+        mkWarn = ver: warn ''
+          The postgresql package is not pinned and selected automatically by
+          `systemd.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
+          oldest postgresql version available and thus the next that will be
+          removed when EOL.
+
+          See also https://endoflife.date/postgresql
+        '';
         base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
             else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
             else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
-            else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13
+            else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13
             else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"
             else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"
             else mkThrow "9_5";
diff --git a/pkgs/servers/sql/postgresql/generic.nix b/pkgs/servers/sql/postgresql/generic.nix
index decaedc5f85f1..264ef08a89561 100644
--- a/pkgs/servers/sql/postgresql/generic.nix
+++ b/pkgs/servers/sql/postgresql/generic.nix
@@ -335,6 +335,11 @@ let
       # In fact, I tried to test the result in a VM-test, but as soon as JIT was used to optimize
       # a query, postgres would coredump with `Illegal instruction`.
       broken = jitSupport && !stdenv.hostPlatform.canExecute stdenv.buildPlatform;
+
+      # Should've never been in 24.11, but we missed the freeze.
+      knownVulnerabilties = lib.optionals (olderThan "13") [
+        "PostgreSQL 12 is EOL and receives no more security fixes"
+      ];
     };
   });