Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-14T13:00:13 postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CWE-385

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts databases that retain MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier.

To mitigate this vulnerability, ensure that all PostgreSQL user passwords are not hashed using MD5. Users should migrate to stronger hashing algorithms such as `scram-sha-256`. This can be achieved by altering user passwords, which will automatically update their hash to the currently configured default. For example, to change a user's password: `ALTER USER username WITH PASSWORD 'new_password';` This action will require users to re-authenticate. If a service relies on these credentials, it may require a restart to pick up the new authentication details. Red Hat Hardened Images 2026-05-26T00:00:00Z RHSA-2026:21182 postgresql17-main-17.10-0.1.hum1 Red Hat Hardened Images 2026-06-03T00:00:00Z RHSA-2026:22878 postgresql18-main-18.4-0.1.hum1 Red Hat Enterprise Linux 10 Affected postgresql16 Red Hat Enterprise Linux 10 Affected postgresql18 Red Hat Enterprise Linux 6 Out of support scope postgresql Red Hat Enterprise Linux 7 Affected postgresql Red Hat Enterprise Linux 8 Affected postgresql Red Hat Enterprise Linux 8 Affected postgresql:12/postgresql Red Hat Enterprise Linux 8 Affected postgresql:13/postgresql Red Hat Enterprise Linux 8 Affected postgresql:15/postgresql Red Hat Enterprise Linux 8 Affected postgresql:16/postgresql Red Hat Enterprise Linux 9 Affected postgresql Red Hat Enterprise Linux 9 Affected postgresql:15/postgresql Red Hat Enterprise Linux 9 Affected postgresql:16/postgresql Red Hat Enterprise Linux 9 Affected postgresql:18/postgresql https://www.cve.org/CVERecord?id=CVE-2026-6478 https://nvd.nist.gov/vuln/detail/CVE-2026-6478 https://www.postgresql.org/support/security/CVE-2026-6478/