Description
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions
Published: 2026-02-11
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Update
AI Analysis

Impact

PostgreSQL Anonymizer 2.5 contains a missing search_path protection that allows an ordinary database user to create a malicious custom operator in the public schema. When the extension is later created, the operator is executed with superuser privileges, enabling the attacker to gain full administrative control over the PostgreSQL instance. This flaw is a classic privilege‑escalation vulnerability and is classified as CWE‑427.

Affected Systems

The vulnerability impacts the Dalibo PostgreSQL Anonymizer extension version 2.5 running on PostgreSQL 14 databases, and on any PostgreSQL instance that has been upgraded from 14 where the public schema still grants CREATE rights to PUBLIC. PostgreSQL 15 and later are not affected by default, because CREATE is revoked on the public schema, but the exploit could still succeed if a superuser creates another schema on the search_path and grants CREATE to untrusted users – a configuration that is strongly discouraged.

Risk and Exploitability

The CVSS score is 8.0, indicating high severity. The EPSS score is less than 1%, so the likelihood of exploitation is considered very low, and the vulnerability is not in the CISA KEV catalog. The attack vector is inferred to be an authenticated database user that has permission to create operators in the public schema, which is common in a default PostgreSQL installation where PUBLIC has CREATE rights. Once the malicious operator is triggered during extension creation, it executes with superuser privileges, allowing the attacker to read, modify, or delete any data and execute arbitrary SQL commands.

Generated by OpenCVE AI on April 17, 2026 at 20:17 UTC.

Remediation

Vendor Workaround

Do not allow users to create new objects in the public schema by running the following command in all of your databases: REVOKE CREATE ON SCHEMA public FROM PUBLIC;

OpenCVE Recommended Actions

  • Upgrade to PostgreSQL Anonymizer 3.0.1 or a later release.
  • If an upgrade is not immediately possible, revoke the CREATE privilege on the public schema from PUBLIC using REVOKE CREATE ON SCHEMA public FROM PUBLIC;
  • Ensure that any newly created schemas have restricted permissions and that superusers do not grant CREATE to untrusted roles.

Generated by OpenCVE AI on April 17, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Dalibo
Dalibo postgresql Anonymizer
Vendors & Products Dalibo
Dalibo postgresql Anonymizer

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions
Title Improper search_path protection in PostgreSQL Anonymizer 2.5 allows any user to gain superuser privileges in PostgreSQL 14
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Dalibo Postgresql Anonymizer
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-02-11T18:29:12.805Z

Reserved: 2026-02-11T17:11:41.119Z

Link: CVE-2026-2360

cve-icon Vulnrichment

Updated: 2026-02-11T18:29:06.040Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T18:16:08.153

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses