Description
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions
Published: 2026-06-11
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in PostgreSQL Anonymizer’s import functions, allowing a malicious user to inject code into a JSON rule file. When a superuser executes the functions anon.import_database_rules() or anon.import_roles_rules(), the injected code runs with superuser privileges, effectively granting the attacker full control over the database. This vulnerability is a classic CWE‑89 injection flaw. The attacker can compromise confidentiality, integrity, and availability of the data and the system.

Affected Systems

The flaw affects the Dalibo PostgreSQL Anonymizer extension. Versions older than 3.1.1 are vulnerable, while 3.1.1 and later include a fix.

Risk and Exploitability

The flaw carries a CVSS score of 6.4. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires a superuser to invoke the import functions, implying that compromise of a superuser account or elevation of a privileged user to superuser level can exploit the flaw. Once executed, the attacker gains full superuser rights within the database environment.

Generated by OpenCVE AI on June 11, 2026 at 20:23 UTC.

Remediation

Vendor Workaround

Remove the rules import functions named `anon.import_roles_rules()` and `anon.import_database_rules()`. They are user-facing functions with no internal dependencies.

OpenCVE Recommended Actions

  • Upgrade the PostgreSQL Anonymizer extension to version 3.1.1 or later
  • If upgrading is not immediately possible, remove the functions anon.import_roles_rules() and anon.import_database_rules() from the database to prevent exploitation
  • Ensure only trusted superusers have the privilege to assign or execute these functions, and audit any use of import operations for suspicious activity

Generated by OpenCVE AI on June 11, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Dalibo
Dalibo postgresql Anonymizer
Vendors & Products Dalibo
Dalibo postgresql Anonymizer

Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions
Title PostgreSQL Anonymizer: SQL injection in the rules import functions
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Dalibo Postgresql Anonymizer
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-06-11T18:34:38.312Z

Reserved: 2026-06-10T21:28:53.029Z

Link: CVE-2026-11945

cve-icon Vulnrichment

Updated: 2026-06-11T18:34:34.480Z

cve-icon NVD

Status : Received

Published: 2026-06-11T17:16:31.837

Modified: 2026-06-11T17:16:31.837

Link: CVE-2026-11945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:30:28Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')