CVE-2026-2360

HIGH EPSS 33.1%
Published Feb 11, 20264mo ago · Modified Jun 17, 20262w ago
8.0 CVSS 3.1
High
Find Similar
Published Feb 11, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions

CVSS Details

Base Score
8.0
Exploitability
1.3
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
33.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-427

References 3

  • gitlab.com https://gitlab.com/dalibo/postgresql_anonymizer/-/blob/latest/NEWS.md
  • gitlab.com https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/616
  • postgresql.org https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATH

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.