<Vulnerability name="CVE-2026-13455">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-30T15:19:57</PublicDate>
    <Bugzilla id="2495009" url="https://bugzilla.redhat.com/show_bug.cgi?id=2495009" xml:lang="en:us">
postgresql_anonymizer: PostgreSQL Anonymizer: Information Disclosure via brute-force attack on hash function
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>4.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-916</CWE>
    <Details xml:lang="en:us" source="Mitre">
PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in PostgreSQL Anonymizer. Unprivileged masked users can repeatedly call the anon.hash() function to collect seed and hash output pairs. This allows an attacker to perform an offline brute-force attack to deduce the salt, potentially leading to information disclosure.
    </Details>
    <Statement xml:lang="en:us">
PostgreSQL Anonymizer is not shipped in any Red Hat product. It is available in Fedora and EPEL as a community package.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-13455
https://nvd.nist.gov/vuln/detail/CVE-2026-13455
https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649
    </References>
</Vulnerability>