CVE-2026-6478 PUBLISHED

PostgreSQL discloses MD5-hashed passwords via covert timing channel

Assigner: PostgreSQL
Reserved: 17.04.2026 Published: 14.05.2026 Updated: 14.05.2026

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	n/a
Product	PostgreSQL
Versions	Default: unaffected affected from 18 to 18.4 (excl.) affected from 17 to 17.10 (excl.) affected from 16 to 16.14 (excl.) affected from 15 to 15.18 (excl.) affected from 0 to 14.23 (excl.)

Affected Configurations

victim user has a usable MD5 password

Workarounds

reset password with password_encryption=scram-sha-256

Credits

The PostgreSQL project thanks Joe Conway for reporting this problem.

References

https://www.postgresql.org/support/security/CVE-2026-6478/

Problem Types

Covert Timing Channel CWE