CVE-2026-13455

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:dalibo:postgresql_anonymizer:*:*:*:*:*:postgresql:*:*

History

06 Jul 2026, 20:23

Type Values Removed Values Added
References () https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649 - () https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649 - Vendor Advisory
CPE cpe:2.3:a:dalibo:postgresql_anonymizer:*:*:*:*:*:postgresql:*:*
First Time Dalibo
Dalibo postgresql Anonymizer

30 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-30 16:16

Updated : 2026-07-06 20:23


NVD link : CVE-2026-13455

Mitre link : CVE-2026-13455

CVE.ORG link : CVE-2026-13455


JSON object : View

Products Affected

dalibo

  • postgresql_anonymizer
CWE
CWE-328

Use of Weak Hash