CVE-2026-11945

Summary

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions

Affected Software

VendorProductVersion RangeStatus
DALIBOPostgreSQL Anonymizer1 < 3.1.1affected

Weaknesses

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Workarounds

Remove the rules import functions named anon.import_roles_rules() and anon.import_database_rules(). They are user-facing functions with no internal dependencies.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References