PatchSiren cyber security CVE debrief
CVE-2026-6478 PostgreSQL CVE debrief
A covert timing channel vulnerability exists in PostgreSQL's MD5 password authentication comparison. The flaw allows network-based attackers to recover user credentials through timing analysis of authentication responses. This affects databases with legacy MD5-hashed passwords, typically originating from upgrades from PostgreSQL 13 or earlier, while scram-sha-256 passwords (the current default) are not vulnerable. The vulnerability is rated CVSS 6.5 (Medium) with network attack vector, low attack complexity, and no required privileges or user interaction.
- Vendor
- PostgreSQL
- Product
- PostgreSQL
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Database administrators maintaining PostgreSQL instances with legacy authentication configurations; security teams responsible for credential storage hygiene; organizations with PostgreSQL deployments upgraded from version 13 or earlier; compliance teams monitoring for weak authentication mechanisms.
Technical summary
The vulnerability resides in the constant-time comparison failure of MD5-hashed passwords during PostgreSQL authentication. When a client provides an MD5 password, the server hashes the supplied password and compares it to the stored hash. Non-constant-time comparison operations create measurable timing differences that correlate with the number of matching bytes, enabling byte-by-byte credential recovery through statistical timing analysis over multiple authentication attempts. The scram-sha-256 authentication mechanism uses proper constant-time comparison and is unaffected. Attack complexity is low as the vulnerability is network-exploitable without authentication, though practical exploitation requires sufficient network stability for timing measurement and multiple authentication attempts per target credential.
Defensive priority
medium
Recommended defensive actions
- Upgrade PostgreSQL to patched versions: 18.4+, 17.10+, 16.14+, 15.18+, or 14.23+
- Identify and rotate any remaining MD5-hashed passwords to scram-sha-256
- Review pg_authid catalog for password hash types: SELECT rolname, rolpassword FROM pg_authid WHERE rolpassword LIKE 'md5%'
- Enable scram-sha-256 as the only authentication method in pg_hba.conf
- Monitor authentication logs for anomalous timing patterns or repeated failed attempts from single sources
- Prioritize patching for externally accessible PostgreSQL instances with legacy user accounts
Evidence notes
CVE published 2026-05-14; modified 2026-05-18. Vendor advisory confirms affected versions and patch availability. CWE-385 (Covert Timing Channel) classified. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.
Official resources
-
CVE-2026-6478 CVE record
CVE.org
-
CVE-2026-6478 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Patch, Vendor Advisory
2026-05-14