PostgreSQL Anonymizer: SQL injection in the rules import functions
CVE-2026-11945

6.4MEDIUM

Key Information:

Vendor: Dalibo
Status: Postgresql Anonymizer
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-11945?

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions

Affected Version(s)

PostgreSQL Anonymizer 1 < 3.1.1

References

https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/643

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

The PostgreSQL Anonymizer project thanks user Mehmet Ince for reporting this problem.

CVE-2026-11945 Data

JSON

Dalibo

What is CVE-2026-11945?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit