CVE-2026-13455
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A vulnerability in PostgreSQL Anonymizer allows unprivileged masked users to repeatedly call the anon.hash() function and collect (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt.
Risk Assessment
The risk is that an attacker can recover the salt used for data masking, potentially leading to disclosure of original sensitive data values.
Recommendation
It is recommended to immediately upgrade PostgreSQL Anonymizer to version 3.1.2 or later, which fixes this vulnerability.
Original NVD description (English source)
PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions

