PatchSiren cyber security CVE debrief
CVE-2026-9617 DALIBO CVE debrief
A privilege escalation vulnerability in PostgreSQL Anonymizer allows authenticated database users to execute arbitrary code with superuser privileges when a superuser invokes the k-anonymity function on a maliciously crafted table. The attack vector involves embedding malicious code within column identifiers, which are then executed during function processing. The vulnerability is more readily exploitable on PostgreSQL 14 or systems upgraded from PostgreSQL 14 or earlier versions, where the public schema retains default CREATE TABLE permissions. PostgreSQL 15 and later versions mitigate this attack surface by revoking public CREATE permissions on the public schema by default, though explicit CREATE TABLE grants to non-superusers still present risk. The issue is resolved in PostgreSQL Anonymizer 3.1.0.
- Vendor
- DALIBO
- Product
- PostgreSQL Anonymizer
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Database administrators running PostgreSQL Anonymizer, security teams managing PostgreSQL environments, compliance officers handling data anonymization pipelines, and organizations using k-anonymity features for privacy-preserving analytics
Technical summary
The k-anonymity function in PostgreSQL Anonymizer fails to properly sanitize column identifiers, enabling SQL injection through maliciously crafted table definitions. When a superuser executes the function against a table containing embedded executable code in column names, that code runs with superuser privileges. The vulnerability exploits PostgreSQL's identifier handling and requires: (1) ability to create tables (automatic on PostgreSQL 14 public schema, requires explicit grant on PostgreSQL 15+), and (2) a superuser to subsequently invoke k-anonymity on the malicious table. The fix in version 3.1.0 addresses the identifier sanitization deficiency.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade PostgreSQL Anonymizer to version 3.1.0 or later
- Audit database user privileges, specifically CREATE TABLE grants on public and user schemas
- Review PostgreSQL version: prioritize remediation on PostgreSQL 14 or systems upgraded from PostgreSQL 14/prior
- Restrict CREATE TABLE privileges to only necessary administrative accounts
- Monitor for anomalous table creation patterns, particularly tables with unusual column naming conventions
- Implement principle of least privilege for database user accounts
- Review query logs for k-anonymity function invocations by superuser accounts on user-created tables
Evidence notes
Vulnerability description confirms privilege escalation through column identifier injection in k-anonymity function. CVSS 6.8 (MEDIUM) with attack vector network, low complexity, high privileges required, user interaction required. CWE-89 (SQL Injection) identified in source metadata. Fix version 3.1.0 explicitly stated. PostgreSQL version-specific exposure differences documented in official description.
Official resources
-
CVE-2026-9617 CVE record
CVE.org
-
CVE-2026-9617 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
2026-05-27T14:17:40.273Z