CVE-2026-2360
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation via Malicious Operator in PostgreSQL Anonymizer

Publication date: 2026-02-11

Last updated on: 2026-02-12

Assigner: PostgreSQL

Description
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2360
EUVD
EUVD-2026-5937
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dalibo postgresql_anonymizer 3.0.1
postgresql postgresql 14
postgresql postgresql 15
postgresql_anonymizer 3.0.1 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2360 is a vulnerability in PostgreSQL Anonymizer that allows a user to gain superuser privileges by creating a custom operator in the public schema containing malicious code. When the extension is created, this operator is executed with superuser privileges, enabling privilege escalation.

The risk is higher in PostgreSQL 14 or instances upgraded from PostgreSQL 14 or earlier, because by default all users have CREATE privileges on the public schema. In PostgreSQL 15 and later, the default CREATE permission on the public schema is revoked, reducing the risk unless a superuser explicitly adds a new schema to the search path and grants CREATE privileges to untrusted users, which is discouraged.

The vulnerability is resolved in PostgreSQL Anonymizer version 3.0.1 and later.

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation, allowing an attacker to gain superuser access to the PostgreSQL database. With superuser privileges, the attacker can execute arbitrary code, manipulate data, and compromise the entire database system.

The impact is more severe on PostgreSQL 14 or earlier versions where users have CREATE privileges on the public schema by default, making it easier to exploit. In later versions, exploitation requires misconfiguration by a superuser, which is discouraged.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the creation of a custom operator in the public schema that executes malicious code with superuser privileges when the PostgreSQL Anonymizer extension is created.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability, you should check if untrusted users have CREATE privileges on the public schema or any schema in the search path, and whether any suspicious custom operators exist in those schemas.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation or risk include:'}, {'type': 'list_item', 'content': "Check schemas where untrusted users have CREATE privileges: \nSELECT nspname, rolname FROM pg_namespace JOIN pg_roles ON pg_namespace.nspowner = pg_roles.oid WHERE has_schema_privilege(rolname, nspname, 'CREATE');"}, {'type': 'list_item', 'content': "List operators in the public schema or other schemas in the search path: \nSELECT oprname, oprnamespace::regnamespace FROM pg_operator WHERE oprnamespace = 'public'::regnamespace;"}, {'type': 'list_item', 'content': 'Check the current search path for your database sessions: \nSHOW search_path;'}, {'type': 'paragraph', 'content': 'By auditing schema privileges and operators, you can identify if the conditions for this vulnerability exist.'}] [1]

Mitigation Strategies

Immediate mitigation steps include revoking CREATE privileges from untrusted users on the public schema and any other schemas in the search path.

Specifically:

  • Revoke CREATE privilege on the public schema: REVOKE CREATE ON SCHEMA public FROM PUBLIC;
  • Ensure that the search_path does not include schemas where untrusted users have CREATE privileges.
  • Upgrade PostgreSQL Anonymizer to version 3.0.1 or later, where this vulnerability is resolved.

Additionally, avoid adding new schemas to the search_path that grant CREATE privileges to untrusted users, as this can enable exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart