PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-916
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 30 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Dalibo
Dalibo postgresql Anonymizer
Vendors & Products Dalibo
Dalibo postgresql Anonymizer

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
Title PostgreSQL Anonymizer: Unrestricted function can leak the secret salt
Weaknesses CWE-328
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-06-30T15:57:53.085Z

Reserved: 2026-06-26T18:36:50.872Z

Link: CVE-2026-13455

cve-icon Vulnrichment

Updated: 2026-06-30T15:57:14.669Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T15:19:57Z

Links: CVE-2026-13455 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:30:04Z