SecuriTricks - CVE-2026-6478

Description

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Product(s) Impacted

Vendor	Product	Versions
Postgresql	Postgresql	<14.23, <15.18, <16.14, <17.10, <18.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-385

Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	postgresql	postgresql	<14.23	/	/	/	/	/	/	/
a	postgresql	postgresql	<15.18	/	/	/	/	/	/	/
a	postgresql	postgresql	<16.14	/	/	/	/	/	/	/
a	postgresql	postgresql	<17.10	/	/	/	/	/	/	/
a	postgresql	postgresql	<18.4	/	/	/	/	/	/	/

References

https://www.postgresql.org/support/security/CVE-2026-6478/

CVSS Score

6.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: May 14, 2026, 2:16 p.m.
Last Modified: May 14, 2026, 4:21 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

CVE-2026-6478