CVE Catalog

CVE-2026-6478

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.56%

42th percentile - higher than 42% of all known CVEs

Summary

A covert timing channel in the comparison of MD5-hashed passwords during PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This vulnerability does not affect scram-sha-256 passwords, the default in all supported releases, but may impact databases with MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier.

Risk Assessment

An attacker can exploit server response timing to recover MD5 passwords and gain unauthorized database access. The risk is especially high in environments still using MD5 passwords from upgrades of PostgreSQL 13 or earlier.

Recommendation

Immediately upgrade PostgreSQL to versions 18.4, 17.10, 16.14, 15.18, or 14.23. After upgrading, enforce password changes for all users to new passwords generated with scram-sha-256.

Original NVD description (English source)

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS