Covert Timing Channel Vulnerability in PostgreSQL Authentication by PostgreSQL
CVE-2026-6478

6.5MEDIUM

Key Information:

Vendor: PostgreSQL
Status: Postgresql
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6478?

A covert timing channel vulnerability has been identified in PostgreSQL authentication that affects systems using MD5-hashed passwords. This flaw allows attackers to exploit the timing discrepancies during password comparison processes to recover user credentials, enabling unauthorized access. Although the latest supported versions default to scram-sha-256 passwords, databases upgraded from older PostgreSQL versions may still utilize MD5 hashes, leaving them vulnerable. Affected versions include PostgreSQL 18.3 and earlier, 17.9 and earlier, 16.13 and earlier, 15.17 and earlier, and 14.22 and earlier.

Affected Version(s)

PostgreSQL 18 < 18.4

PostgreSQL 17 < 17.10

PostgreSQL 16 < 16.14

References

https://www.postgresql.org/support/security/CVE-2026-6478/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

The PostgreSQL project thanks Joe Conway for reporting this problem.

CVE-2026-6478 Data

JSON