Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions
AnalysisAI
Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.
Technical ContextAI
PostgreSQL Anonymizer is a PostgreSQL extension developed by Dalibo that provides data masking and anonymization capabilities, including k-anonymity enforcement. The root cause is CWE-89 (SQL Injection) arising from insufficient sanitization of column identifiers - specifically, the k-anonymity function appears to dynamically construct SQL queries incorporating user-supplied column names without proper quoting or escaping, allowing SQL metacharacters embedded in identifier names to be interpreted as executable code. The attack surface differs materially by PostgreSQL version: on PostgreSQL 14 and earlier, the public schema grants CREATE TABLE to all users by default, making exploitation accessible to any authenticated user. PostgreSQL 15 revoked this default, narrowing the attack surface to users explicitly granted CREATE TABLE privileges. The EUVD-2026-32504 record confirms affected versions as PostgreSQL Anonymizer 1.x through all releases prior to 3.1.0.
RemediationAI
Upgrade to PostgreSQL Anonymizer 3.1.0 or later, which is the vendor-confirmed fix for this vulnerability as stated in the CVE description and corroborated by the vendor patch availability signal. Reference the upstream issue at https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/640 for release details. As a compensating control prior to patching on PostgreSQL 14 instances, explicitly revoke CREATE TABLE rights on the public schema for non-superuser roles using 'REVOKE CREATE ON SCHEMA public FROM PUBLIC;' - note this may break applications that dynamically create tables in the public schema and should be tested before deployment. Additionally, restrict invocation of k-anonymity functions to trusted administrative roles only, preventing untrusted users from positioning malicious tables in paths that superusers process. On PostgreSQL 15+, audit whether any non-essential users have been explicitly granted CREATE TABLE privileges and revoke where unnecessary.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32504
GHSA-2qfw-46cx-cgv6