CVE-2026-11945

MEDIUM 6.4

PostgreSQL Anonymizer: SQL injection in the rules import functions

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions

CWE	CWE-89
Vendor	dalibo
Product	postgresql anonymizer
Published	Jun 11, 2026
Last Updated	Jun 11, 2026

Stay Ahead of the Next One

Get instant alerts for dalibo postgresql anonymizer

Be the first to know when new medium vulnerabilities affecting dalibo postgresql anonymizer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

DALIBO / PostgreSQL Anonymizer

1 < 3.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gitlab.com: https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/643

Credits

The PostgreSQL Anonymizer project thanks user Mehmet Ince for reporting this problem.