CVE-2026-2361

HIGH

8.0

Descricao

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a temporary view based on a function containing malicious code. When the anon.get_tablesample_ratio function is then called, the malicious code is executed with superuser privileges. This privilege elevation can be exploited by users having the CREATE privilege in PostgreSQL 15 and later. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version because the creation permission on the public schema is granted by default. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions

Detalhes CVE

Pontuacao CVSS v3.18.0

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosHIGH

Interacao do usuarioNONE

Publicado2/11/2026

Ultima modificacao2/12/2026

Fontenvd

Avistamentos honeypot0

Fraquezas (CWE)

CWE-427

Referencias

https://gitlab.com/dalibo/postgresql_anonymizer/-/blob/latest/NEWS.md(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/617(f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.