CVE-2026-13455

MEDIUM 4.3

PostgreSQL Anonymizer: Unrestricted function can leak the secret salt

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

CWE	CWE-328
Vendor	dalibo
Product	postgresql anonymizer
Published	Jun 30, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for dalibo postgresql anonymizer

Be the first to know when new medium vulnerabilities affecting dalibo postgresql anonymizer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

DALIBO / PostgreSQL Anonymizer

1 < 3.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gitlab.com: https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649

Credits

The PostgreSQL Anonymizer project thanks user Sarath Kumar for reporting this problem.