CVE-2026-2360

Name of the Vulnerable Software and Affected Versions PostgreSQL Anonymizer versions prior to 3.0.1

Description The software contains a flaw that could allow a user to obtain superuser privileges. This is achieved by creating a custom operator within the public schema and embedding malicious code within that operator. The malicious code is then executed with superuser privileges during the extension creation process. The risk is elevated in PostgreSQL 14 and instances upgraded from PostgreSQL 14 or earlier. PostgreSQL 15 and later versions mitigate this risk by default, as they revoke creation permissions on the public schema. However, exploitation remains possible if a superuser adds a new schema to their search path and grants create privileges to untrusted users, which is discouraged by PostgreSQL documentation.

Recommendations Upgrade to PostgreSQL Anonymizer version 3.0.1 or later.