CVE Catalog

CVE-2026-11945

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

9th percentile — higher than 9% of all known CVEs

Summary

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges.

Risk Assessment

This vulnerability poses a serious risk to system security, allowing unauthorized users to gain full access to the database. This could lead to unauthorized access to and modification of data.

Recommendation

It is recommended to update PostgreSQL Anonymizer to version 3.1.1 or later to mitigate this vulnerability. Additionally, conduct an audit of user permissions and monitor calls to import functions.

Original NVD description (English source)

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions

Vulnerability data from NVD (NIST) · CISA KEV · EPSS