Description
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions
Published: 2026-05-27
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the PostgreSQL Anonymizer extension permits the injection of malicious SQL code through a specially crafted column identifier. When the user‑visible function anon.k_anonymity() is invoked, that code is executed with the privileges of the database superuser. As a consequence, a threat actor can elevate their rights to superuser level, gaining full control over the database cluster.

Affected Systems

The vulnerability affects deployments of DALIBO’s PostgreSQL Anonymizer that are earlier than version 3.1.0. The risk is heightened when the database is running PostgreSQL 14, or an instance that has been upgraded from PostgreSQL 14 and still allows users to create tables in the public schema. PostgreSQL 15 and later mitigate the issue by revoking the default CREATE privilege on the public schema, but the vulnerability remains exploitable if a user has been explicitly granted that permission. Version 3.1.0 and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity, and the EPSS score is not available, suggesting no concrete data on exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. An attacker would need the ability to create a table with a malicious column name, and the ability to call anon.k_anonymity()—the description suggests that this requires superuser privileges or a user subsequently granted those privileges through exploitation. The expected outcome is that arbitrary SQL is executed as superuser, fully compromising the database.

Generated by OpenCVE AI on May 27, 2026 at 21:20 UTC.

Remediation

Vendor Workaround

Remove the k_anonymity feature with 'DROP FUNCTION anon.k_anonymity();'. This is a user-facing function with no internal dependencies.

OpenCVE Recommended Actions

  • Upgrade the PostgreSQL Anonymizer extension to version 3.1.0 or newer to apply the vendor's fix.
  • As an interim measure, remove the vulnerable function with DROP FUNCTION anon.k_anonymity(); to prevent its use while a patch is pending.
  • Revoke CREATE TABLE permissions from non‑superusers on the public schema to limit the ability to craft malicious tables, especially on PostgreSQL 14 deployments.

Generated by OpenCVE AI on May 27, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Dalibo
Dalibo postgresql Anonymizer
Vendors & Products Dalibo
Dalibo postgresql Anonymizer

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions
Title PostgreSQL Anonymizer: malicious column name allows SQL injection via anon.k_anonymity() function
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Dalibo Postgresql Anonymizer
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-27T15:27:45.957Z

Reserved: 2026-05-26T16:36:40.963Z

Link: CVE-2026-9617

cve-icon Vulnrichment

Updated: 2026-05-27T15:14:00.451Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:40.273

Modified: 2026-05-27T14:54:20.160

Link: CVE-2026-9617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:30:04Z

Weaknesses