8.2

CVE-2026-6478

PostgreSQL discloses MD5-hashed passwords via covert timing channel

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate.  This does not affect scram-sha-256 passwords, the default in all supported releases.  However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier.  Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PostgresqlPostgresql Version < 14.23
PostgresqlPostgresql Version >= 15.0 < 15.18
PostgresqlPostgresql Version >= 16.0 < 16.14
PostgresqlPostgresql Version >= 17.0 < 17.10
PostgresqlPostgresql Version >= 18.0 < 18.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.423
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE-385 Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

https://www.postgresql.org/support/security/CVE-2026-6478/
Patch
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:22878
https://access.redhat.com/errata/RHSA-2026:26181
https://access.redhat.com/errata/RHSA-2026:26203
https://access.redhat.com/errata/RHSA-2026:26204
https://access.redhat.com/errata/RHSA-2026:26524
https://access.redhat.com/errata/RHSA-2026:26525
https://access.redhat.com/errata/RHSA-2026:26561
https://access.redhat.com/errata/RHSA-2026:27718
https://access.redhat.com/errata/RHSA-2026:27738
https://access.redhat.com/errata/RHSA-2026:27741
https://access.redhat.com/errata/RHSA-2026:27742
https://access.redhat.com/errata/RHSA-2026:27743
https://access.redhat.com/errata/RHSA-2026:28037
https://access.redhat.com/errata/RHSA-2026:28143
https://access.redhat.com/errata/RHSA-2026:28999
https://access.redhat.com/errata/RHSA-2026:29212
https://access.redhat.com/errata/RHSA-2026:29815
https://access.redhat.com/errata/RHSA-2026:29904
https://access.redhat.com/errata/RHSA-2026:29953
https://access.redhat.com/errata/RHSA-2026:32983
https://access.redhat.com/errata/RHSA-2026:32994
https://access.redhat.com/errata/RHSA-2026:21182
https://access.redhat.com/errata/RHSA-2026:28208
https://access.redhat.com/security/cve/CVE-2026-6478
https://bugzilla.redhat.com/show_bug.cgi?id=2477447
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6478.json
https://access.redhat.com/errata/RHSA-2026:33441
https://access.redhat.com/errata/RHSA-2026:33497
https://access.redhat.com/errata/RHSA-2026:34043
https://access.redhat.com/errata/RHSA-2026:34362
https://access.redhat.com/errata/RHSA-2026:34363
https://access.redhat.com/errata/RHSA-2026:35880