CVE-2026-9617

Published: Mag 27, 2026 Last Modified: Mag 27, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,8

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Attack Vector: network

Attack Complexity: low

Privileges Required: high

User Interaction: required

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Authentication Access Control

Potential Impacts:

Execute Unauthorized Code Or Commands Read Application Data Gain Privileges Or Assume Identity Bypass Protection Mechanism Modify Application Data

Applicable Platforms

Languages: Not Language-Specific, SQL

Technologies: Database Server

Likelihood of Exploit: High

View CWE Details

https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/640

CVE-2026-9617

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter