CVE-2026-13455
Received Received - Intake

PostgreSQL Anonymizer Salt Brute Force Vulnerability

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: PostgreSQL

Description
PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-13455
EUVD
EUVD-2026-40349

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dalibo postgresql_anonymizer 3.1.2
dalibo postgresql_anonymizer to 3.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-13455 vulnerability in PostgreSQL Anonymizer involves the anon.hash() function lacking the RESTRICTED label, which allows masked (unprivileged) users to repeatedly call this function.

Because anon.hash() was not properly restricted, masked users can misuse it as a hashing oracle by generating hash outputs for guessable inputs (such as names or IDs) and comparing them to masked values.

This enables an attacker to collect (seed, hash_output) pairs and perform an offline brute-force attack to deduce the secret salt used in the hashing process, effectively bypassing the salt's protection.

The vulnerability affects version 3.0.13 and likely earlier versions of PostgreSQL Anonymizer and is fixed in version 3.1.2 by adding the RESTRICTED label to anon.hash() and revoking public access to salt-reading functions.

Impact Analysis

This vulnerability allows an attacker with masked (low-privilege) access to reverse the anonymization or pseudonymization of sensitive data by deducing the secret salt used in hashing.

As a result, sensitive information such as names or IDs that were intended to be anonymized can be exposed, compromising data confidentiality.

An insider or someone with read-only access could exploit this vulnerability to perform offline brute-force attacks, potentially leading to unauthorized data disclosure.

Detection Guidance

This vulnerability can be detected by checking if the anon.hash() function in PostgreSQL Anonymizer is accessible to masked or low-privilege users without the RESTRICTED label. Specifically, you should verify whether masked roles can call anon.hash() directly, which should not be allowed.

To detect this, you can run SQL commands to check the permissions and labels on the anon.hash() function and other salt-reading SECURITY DEFINER functions.

  • Check if anon.hash() is labeled RESTRICTED: SELECT provolatile, prosecdefiner, proleakproof FROM pg_proc WHERE proname = 'hash' AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'anon');
  • Check which roles have EXECUTE permission on anon.hash(): SELECT grantee FROM information_schema.role_routine_grants WHERE routine_name = 'hash' AND specific_schema = 'anon';
  • Attempt to call anon.hash() as a masked or low-privilege user to see if it is accessible.
Mitigation Strategies

Immediate mitigation steps include restricting access to the anon.hash() function and other salt-reading SECURITY DEFINER functions to prevent masked or low-privilege users from calling them.

  • Add the RESTRICTED label to the anon.hash() function to prevent masked roles from using it as a hashing oracle.
  • Revoke PUBLIC or low-privilege EXECUTE permissions on salt-reading functions to block unauthorized access.
  • Upgrade PostgreSQL Anonymizer to version 3.1.2 or later, where this vulnerability is fixed.

These steps will prevent attackers from collecting (seed, hash_output) pairs and performing offline brute-force attacks to deduce the salt.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13455. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart