
Cloud Vulnerability DB
コミュニティ主導の脆弱性データベース
CVE-2026-6478 is a covert timing channel vulnerability in PostgreSQL's MD5 password hash comparison during authentication, allowing an unauthenticated network attacker to recover user credentials sufficient to authenticate. It affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23, and was published on May 14, 2026. The vulnerability does not affect databases using scram-sha-256 passwords (the default in all currently supported releases), but may impact systems with legacy MD5-hashed passwords originating from upgrades from PostgreSQL 13 or earlier. It carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, PostgreSQL Security).
The vulnerability is classified as CWE-385 (Covert Timing Channel), where the PostgreSQL authentication code compares MD5-hashed passwords in a manner that leaks timing information observable by a remote attacker. By measuring response time differences during authentication attempts, an attacker can perform a side-channel analysis to infer and recover valid MD5 password hashes, ultimately enabling credential recovery. The flaw is only exploitable when the target database stores passwords using the legacy MD5 hashing scheme, which may be present in databases upgraded from PostgreSQL 13 or earlier. A fix commit is available in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).
A successful exploit allows an unauthenticated remote attacker to recover PostgreSQL user credentials and authenticate as that user, resulting in low confidentiality and low integrity impact with no availability impact. The attack is limited to databases that use legacy MD5-hashed passwords; systems using the default scram-sha-256 authentication are not affected. Depending on the privileges of the compromised account, an attacker could access sensitive database contents, modify data, or potentially pivot to other systems accessible via the database (GitHub Advisory, PostgreSQL Security).
postgresql.log) showing a large number of authentication failures (FATAL: password authentication failed) from the same client address over a short period.Upgrade PostgreSQL to the patched versions: 18.4, 17.10, 16.14, 15.18, or 14.23 (PostgreSQL Release). As a priority workaround, migrate all legacy MD5-hashed passwords to scram-sha-256 by updating pg_hba.conf to require scram-sha-256 and re-issuing passwords for all users. Administrators can identify users with MD5 passwords by querying pg_authid for entries where rolpassword starts with md5. Restricting network access to PostgreSQL instances (e.g., via firewall rules) reduces the attack surface while patching is pending (PostgreSQL Security).
The PostgreSQL project disclosed this vulnerability as part of a coordinated release of 11 CVEs on May 14, 2026, covering versions 14 through 18 (PostgreSQL Release). Security blogger Christophe Pettus (thebuild.com) published a summary of all 11 CVEs in the release, noting the breadth of the security update (The Build Blog). Multiple Linux distributions including Debian, SUSE, openSUSE, Ubuntu, and Amazon Linux 2023 issued downstream security advisories and updated packages shortly after the upstream release. Coverage from security news outlets such as SecurityOnline, GBHackers, and CyberSecurityNews highlighted the update, with emphasis on the broader set of vulnerabilities patched in this release.
ソース: このレポートは AI を使用して生成されました
無料の脆弱性評価
9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。
パーソナライズされたデモを見る
"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"