Skip to main content

PostgreSQL Anonymizer EUVDEUVD-2026-32504

| CVE-2026-9617 MEDIUM
SQL Injection (CWE-89)
2026-05-27 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 GHSA-2qfw-46cx-cgv6
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:18 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions

AnalysisAI

Privilege escalation in PostgreSQL Anonymizer (all versions prior to 3.1.0) allows an authenticated database user to gain superuser privileges by embedding malicious SQL code within a column identifier of a user-created table. When a superuser invokes the k-anonymity function against such a table, the injected code executes with superuser-level privileges, yielding full confidentiality, integrity, and availability impact across the database. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though SSVC rates technical impact as total due to the complete privilege escalation outcome.

Technical ContextAI

PostgreSQL Anonymizer is a PostgreSQL extension developed by Dalibo that provides data masking and anonymization capabilities, including k-anonymity enforcement. The root cause is CWE-89 (SQL Injection) arising from insufficient sanitization of column identifiers - specifically, the k-anonymity function appears to dynamically construct SQL queries incorporating user-supplied column names without proper quoting or escaping, allowing SQL metacharacters embedded in identifier names to be interpreted as executable code. The attack surface differs materially by PostgreSQL version: on PostgreSQL 14 and earlier, the public schema grants CREATE TABLE to all users by default, making exploitation accessible to any authenticated user. PostgreSQL 15 revoked this default, narrowing the attack surface to users explicitly granted CREATE TABLE privileges. The EUVD-2026-32504 record confirms affected versions as PostgreSQL Anonymizer 1.x through all releases prior to 3.1.0.

RemediationAI

Upgrade to PostgreSQL Anonymizer 3.1.0 or later, which is the vendor-confirmed fix for this vulnerability as stated in the CVE description and corroborated by the vendor patch availability signal. Reference the upstream issue at https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/640 for release details. As a compensating control prior to patching on PostgreSQL 14 instances, explicitly revoke CREATE TABLE rights on the public schema for non-superuser roles using 'REVOKE CREATE ON SCHEMA public FROM PUBLIC;' - note this may break applications that dynamically create tables in the public schema and should be tested before deployment. Additionally, restrict invocation of k-anonymity functions to trusted administrative roles only, preventing untrusted users from positioning malicious tables in paths that superusers process. On PostgreSQL 15+, audit whether any non-essential users have been explicitly granted CREATE TABLE privileges and revoke where unnecessary.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

EUVD-2026-32504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy