Skip to main content

PostgreSQL Anonymizer CVE-2026-11945

| EUVD-2026-36266 HIGH
SQL Injection (CWE-89)
2026-06-11 PostgreSQL GHSA-g5vm-7gwv-45rj
PostgreSQL SQLi Postgresql Anonymizer
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (PostgreSQL) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Authenticated user (PR:L) plants payload over the network (AV:N); a superuser must later run the importer (UI:R, AC:H), and execution crosses the role boundary into the superuser security context (S:C) with total impact.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (PostgreSQL).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 16, 2026 - 14:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 16, 2026 - 14:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jun 16, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Jun 16, 2026 - 14:22 NVD
6.4 (MEDIUM) 7.5 (HIGH)
Patch available
Jun 11, 2026 - 18:01 EUVD
Analysis Generated
Jun 11, 2026 - 17:16 vuln.today

DescriptionNVD

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions

AnalysisAI

Privilege escalation in PostgreSQL Anonymizer versions prior to 3.1.1 allows a low-privileged database user to achieve superuser execution by embedding malicious code in a crafted JSON key-value pair that is later processed by the import_database_rules() or import_roles_rules() functions when invoked by a superuser. The attack is a stored payload that requires a superuser to trigger import of attacker-controlled rules, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged DB account
Delivery
Inject malicious SQL into rules JSON key
Exploit
Wait for superuser to run import_database_rules()/import_roles_rules()
Execution
SQL executes with superuser context
Persist
Create attacker superuser role
Impact
Full database compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must (1) hold an authenticated PostgreSQL role with the ability to write the JSON rules document later consumed by the anon extension (e.g., insert into the rules table, modify the file on disk, or supply the file path) and (2) wait for or induce a superuser to invoke anon.import_database_rules() or anon.import_roles_rules() against that JSON. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals here pull in opposite directions and must be weighed carefully: the CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/C:H/I:H/A:H) reflects total compromise of the database, but EPSS is only 0.04% (12th percentile) and CISA SSVC marks Exploitation as none and Automatable as no. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged but authenticated database user who can influence the masking/role rules JSON (for example by writing to a shared rules table or file consumed during restore) embeds malicious SQL inside the targeted key-value pair. Later, a DBA running maintenance executes SELECT anon.import_database_rules(...) or anon.import_roles_rules(...) as a superuser, at which point the embedded SQL runs with superuser privileges and the attacker creates a new superuser role or exfiltrates protected data. …
Remediation Vendor-released patch: PostgreSQL Anonymizer 3.1.1 - upgrade the extension to 3.1.1 or later on every PostgreSQL instance where the extension is installed, per the upstream issue at https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/643 and the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-11945. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit current PostgreSQL Anonymizer version and restrict non-superuser database access to rule management functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
CVE-2026-54310 MEDIUM
9.9 Jun 16

SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inje
CVE-2026-48114 CRITICAL
9.8 Jun 15

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and exec

Share

CVE-2026-11945 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy