CVE-2026-2360HIGH 8.0EPSS p32.9%

CVE-2026-2360CVE-2026-2360

Description

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.9% · 2026-06-19T12:03:05Z
Published2026-02-11
Last modified2026-04-15

Underlying weaknesses· 1

CWE-427

References

  1. https://gitlab.com/dalibo/postgresql_anonymizer/-/blob/latest/NEWS.md
  2. https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/616
  3. https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATH

1

TypeTargetConfidenceTier
WeaknessUncontrolled Search Path Elementcwe-4270%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2361
CVE
CVE-2026-9617
CVE
CVE-2025-8714
CVE
CVE-2026-2005
CVE
CVE-2026-2004
CVE
CVE-2026-2006
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.