CVE-2026-13455

Summary

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

Affected Software

VendorProductVersion RangeStatus
DALIBOPostgreSQL Anonymizer1 < 3.1.2affected

Weaknesses

  • CWE-328: Use of Weak Hash

Workarounds

Restrict access to anon.hash() for masked users: SECURITY LABEL FOR anon ON FUNCTION anon.hash(TEXT) IS 'RESTRICTED'.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References