CVE-2026-2361

HIGH

PostgreSQL - Privilege Escalation

Title source: llm

Description

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a temporary view based on a function containing malicious code. When the anon.get_tablesample_ratio function is then called, the malicious code is executed with superuser privileges. This privilege elevation can be exploited by users having the CREATE privilege in PostgreSQL 15 and later. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version because the creation permission on the public schema is granted by default. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions

References (2)

[Various Sources] https://gitlab.com/dalibo/postgresql_anonymizer/-/blob/latest/NEWS.md

View Writeup ZIP pw:eip

[Issue Tracking] https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/617

Scores

CVSS v3 8.0

EPSS 0.0006

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (1)

DALIBO/PostgreSQL Anonymizer 1 - 3.0.1

Published Feb 11, 2026

Tracked Since Feb 18, 2026