CVE Catalog

CVE-2026-13455

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

A vulnerability in PostgreSQL Anonymizer allows unprivileged masked users to repeatedly call the anon.hash() function and collect (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt.

Risk Assessment

The risk is that an attacker can recover the salt used for data masking, potentially leading to disclosure of original sensitive data values.

Recommendation

It is recommended to immediately upgrade PostgreSQL Anonymizer to version 3.1.2 or later, which fixes this vulnerability.

Original NVD description (English source)

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

Vulnerability data from NVD (NIST) · CISA KEV · EPSS