CVE-2026-13455 PUBLISHED

PostgreSQL Anonymizer: Unrestricted function can leak the secret salt

Assigner: PostgreSQL
Reserved: 26.06.2026 Published: 30.06.2026 Updated: 30.06.2026

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	DALIBO
Product	PostgreSQL Anonymizer
Versions	Default: unaffected affected from 1 to 3.1.2 (excl.)

Workarounds

Restrict access to anon.hash() for masked users: SECURITY LABEL FOR anon ON FUNCTION anon.hash(TEXT) IS 'RESTRICTED'.

Credits

The PostgreSQL Anonymizer project thanks user Sarath Kumar for reporting this problem.

References

https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649

Problem Types

Use of Weak Hash CWE