CVE-2026-6478
PostgreSQL 취약성 분석 및 완화

개요

CVE-2026-6478 is a covert timing channel vulnerability in PostgreSQL's MD5 password hash comparison during authentication, allowing an unauthenticated network attacker to recover user credentials sufficient to authenticate. It affects PostgreSQL versions before 18.4, 17.10, 16.14, 15.18, and 14.23, and was published on May 14, 2026. The vulnerability does not affect databases using scram-sha-256 passwords (the default in all currently supported releases), but may impact systems with legacy MD5-hashed passwords originating from upgrades from PostgreSQL 13 or earlier. It carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, PostgreSQL Security).

기술적 세부 사항

The vulnerability is classified as CWE-385 (Covert Timing Channel), where the PostgreSQL authentication code compares MD5-hashed passwords in a manner that leaks timing information observable by a remote attacker. By measuring response time differences during authentication attempts, an attacker can perform a side-channel analysis to infer and recover valid MD5 password hashes, ultimately enabling credential recovery. The flaw is only exploitable when the target database stores passwords using the legacy MD5 hashing scheme, which may be present in databases upgraded from PostgreSQL 13 or earlier. A fix commit is available in the PostgreSQL git repository (PostgreSQL Git, GitHub Advisory).

영향

A successful exploit allows an unauthenticated remote attacker to recover PostgreSQL user credentials and authenticate as that user, resulting in low confidentiality and low integrity impact with no availability impact. The attack is limited to databases that use legacy MD5-hashed passwords; systems using the default scram-sha-256 authentication are not affected. Depending on the privileges of the compromised account, an attacker could access sensitive database contents, modify data, or potentially pivot to other systems accessible via the database (GitHub Advisory, PostgreSQL Security).

착취 단계

  1. Reconnaissance: Identify PostgreSQL instances exposed to the network (e.g., via Shodan, Censys, or internal network scanning) running versions before 18.4, 17.10, 16.14, 15.18, or 14.23.
  2. Verify MD5 authentication: Attempt to connect to the target PostgreSQL instance and confirm it is configured to use MD5 password authentication (rather than scram-sha-256), which may be indicated by the authentication challenge type in the PostgreSQL wire protocol handshake.
  3. Collect timing measurements: Send a large number of authentication requests with candidate passwords or partial hash values, carefully measuring the server's response time for each attempt using high-resolution timing tools.
  4. Side-channel analysis: Analyze the collected timing data to identify statistically significant differences that reveal information about the MD5 hash comparison, progressively narrowing down the correct password hash.
  5. Authenticate: Use the recovered credentials to authenticate to the PostgreSQL instance and access the database with the privileges of the compromised user (PostgreSQL Security, GitHub Advisory).

타협의 징후

  • Network: Unusually high volume of failed or repeated authentication attempts to PostgreSQL (port 5432) from a single source IP, particularly with varying usernames or passwords in rapid succession.
  • Logs: PostgreSQL server logs (postgresql.log) showing a large number of authentication failures (FATAL: password authentication failed) from the same client address over a short period.
  • Logs: Evidence of systematic enumeration of usernames combined with repeated authentication attempts, which may indicate timing-based probing.
  • Process: No unusual process behavior expected, as the attack is conducted entirely via the PostgreSQL authentication protocol without requiring code execution on the server.

완화 및 해결 방법

Upgrade PostgreSQL to the patched versions: 18.4, 17.10, 16.14, 15.18, or 14.23 (PostgreSQL Release). As a priority workaround, migrate all legacy MD5-hashed passwords to scram-sha-256 by updating pg_hba.conf to require scram-sha-256 and re-issuing passwords for all users. Administrators can identify users with MD5 passwords by querying pg_authid for entries where rolpassword starts with md5. Restricting network access to PostgreSQL instances (e.g., via firewall rules) reduces the attack surface while patching is pending (PostgreSQL Security).

커뮤니티 반응

The PostgreSQL project disclosed this vulnerability as part of a coordinated release of 11 CVEs on May 14, 2026, covering versions 14 through 18 (PostgreSQL Release). Security blogger Christophe Pettus (thebuild.com) published a summary of all 11 CVEs in the release, noting the breadth of the security update (The Build Blog). Multiple Linux distributions including Debian, SUSE, openSUSE, Ubuntu, and Amazon Linux 2023 issued downstream security advisories and updated packages shortly after the upstream release. Coverage from security news outlets such as SecurityOnline, GBHackers, and CyberSecurityNews highlighted the update, with emphasis on the broader set of vulnerabilities patched in this release.

추가 자료


근원이 보고서는 AI를 사용하여 생성되었습니다.

관련 PostgreSQL 취약점:

CVE ID

심각도

점수

기술

구성 요소 이름

CISA KEV 익스플로잇

수정 사항이 있습니다.

게시된 날짜

CVE-2026-6638HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql:16::postgresql-private-devel
아니요May 14, 2026
CVE-2026-6637HIGH8.8
  • PostgreSQL logoPostgreSQL
  • postgresql17-pltcl
아니요May 14, 2026
CVE-2026-6479HIGH7.5
  • PostgreSQL logoPostgreSQL
  • postgresql14-pltcl
아니요May 14, 2026
CVE-2026-6478MEDIUM6.5
  • PostgreSQL logoPostgreSQL
  • postgresql16
아니요May 14, 2026
CVE-2026-6575MEDIUM4.3
  • PostgreSQL logoPostgreSQL
  • postgresql18-server-devel-debuginfo
아니요May 14, 2026

무료 취약성 평가

클라우드 보안 태세를 벤치마킹합니다

9개의 보안 도메인에서 클라우드 보안 관행을 평가하여 위험 수준을 벤치마킹하고 방어의 허점을 식별합니다.

평가 요청

추가 Wiz 리소스

맞춤형 데모 받기

맞춤형 데모 신청하기

"내가 본 최고의 사용자 경험은 클라우드 워크로드에 대한 완전한 가시성을 제공합니다."
데이비드 에슬릭최고정보책임자(CISO)
"Wiz는 클라우드 환경에서 무슨 일이 일어나고 있는지 볼 수 있는 단일 창을 제공합니다."
아담 플레처최고 보안 책임자(CSO)
"우리는 Wiz가 무언가를 중요한 것으로 식별하면 실제로 중요하다는 것을 알고 있습니다."
그렉 포니아토프스키위협 및 취약성 관리 책임자