Skip to main content

PostgreSQL Anonymizer CVE-2026-13455

| EUVDEUVD-2026-40349 MEDIUM
Use of Weak Hash (CWE-328)
2026-06-30 PostgreSQL GHSA-8ch8-93q8-mhm3
4.3
CVSS 3.1 · Vendor: PostgreSQL
Share

Severity by source

Vendor (PostgreSQL) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible collection phase with no complexity beyond holding a masked role (PR:L); confidentiality-only, no integrity or availability impact; scope unchanged as recovery affects same database authorization boundary.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from Vendor (PostgreSQL).

CVSS VectorVendor: PostgreSQL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 17:01 EUVD
Analysis Generated
Jun 30, 2026 - 16:25 vuln.today

DescriptionCVE.org

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

AnalysisAI

PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated masked database role
Delivery
Call anon.hash() with large known-seed dictionary
Exploit
Collect sufficient (seed, hash_output) pairs
Execution
Run offline brute-force to recover salt
Persist
Reverse all pseudonymized column values
Impact
Exfiltrate original sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated database user holding a masked role with execute permission on anon.hash() - the standard configuration for any masked user in a PostgreSQL Anonymizer deployment, making this the default operational state rather than a special configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 Medium score (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) reflects a network-reachable, low-complexity attack requiring low privileges with confidentiality-only, partial impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A database analyst granted a masked role on a PostgreSQL instance running a vulnerable version of PostgreSQL Anonymizer connects over the network and invokes anon.hash() with a large dictionary of known seed values, accumulating thousands of (seed, output) pairs over multiple sessions. The attacker processes these pairs offline using brute-force or dictionary techniques to recover the salt. …
Remediation Upgrade to PostgreSQL Anonymizer 3.1.2 or later, the vendor-confirmed fix version per the description and GitLab issue https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Vendor StatusVendor

Share

CVE-2026-13455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy