CVE-2026-6478
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk42th percentile - higher than 42% of all known CVEs
Summary
A covert timing channel in the comparison of MD5-hashed passwords during PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This vulnerability does not affect scram-sha-256 passwords, the default in all supported releases, but may impact databases with MD5-hashed passwords from upgrades of PostgreSQL 13 or earlier.
Risk Assessment
An attacker can exploit server response timing to recover MD5 passwords and gain unauthorized database access. The risk is especially high in environments still using MD5 passwords from upgrades of PostgreSQL 13 or earlier.
Recommendation
Immediately upgrade PostgreSQL to versions 18.4, 17.10, 16.14, 15.18, or 14.23. After upgrading, enforce password changes for all users to new passwords generated with scram-sha-256.
Original NVD description (English source)
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

