PatchSiren cyber security CVE debrief
CVE-2026-11945 DALIBO CVE debrief
A vulnerability in PostgreSQL Anonymizer allows a user to gain superuser privileges. By creating a JSON document and placing malicious code inside a particular key-value pair, an attacker can exploit this issue. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. This vulnerability has a CVSS score of 6.4 and is classified as MEDIUM severity.
- Vendor
- DALIBO
- Product
- PostgreSQL Anonymizer
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of PostgreSQL Anonymizer versions prior to 3.1.1 should update to the latest version to mitigate this vulnerability.
Technical summary
The vulnerability is caused by inadequate sanitization of user-supplied JSON input. An attacker can create a JSON document with malicious code and place it in a specific key-value pair. When a superuser calls certain functions, such as import_database_rules() or import_roles_rules(), the malicious code is executed with superuser privileges.
Defensive priority
MEDIUM
Recommended defensive actions
- Update PostgreSQL Anonymizer to version 3.1.1 or later.
- Restrict access to the import_database_rules() and import_roles_rules() functions to prevent exploitation.
Evidence notes
This vulnerability is resolved in PostgreSQL Anonymizer 3.1.1 and later versions.
Official resources
-
CVE-2026-11945 CVE record
CVE.org
-
CVE-2026-11945 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
CVE-2026-11945 was published on 2026-06-11T17:16:31.837Z and modified on 2026-06-11T20:56:29.653Z.