Superuser Privilege Escalation Vulnerability in PostgreSQL Anonymizer
CVE-2026-9617

6.8MEDIUM

Key Information:

Vendor: Dalibo
Status: Postgresql Anonymizer
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9617?

The PostgreSQL Anonymizer contains a vulnerability that could allow an unprivileged user to escalate their privileges. By creating a table and injecting malicious code into a column identifier, an attacker may execute the k-anonymity function with superuser rights, thereby compromising the database integrity. This risk is particularly notable in instances running PostgreSQL 14 or those upgraded from earlier versions. In PostgreSQL 15 and later, the public schema's creation permission is revoked by default, which limits the potential attack vector, requiring explicit permissions for execution. This vulnerability has been addressed in PostgreSQL Anonymizer version 3.1.0 and later.

Affected Version(s)

PostgreSQL Anonymizer 1 < 3.1.0

References

https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/640

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 26, 2026

Credit

The PostgreSQL Anonymizer project thanks user 'Buut' for reporting this problem.

CVE-2026-9617 Data

JSON

Dalibo

What is CVE-2026-9617?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit