2487945 – (CVE-2026-11945) CVE-2026-11945 postgresql_anonymizer: PostgreSQL Anonymizer: Privilege escalation via malicious JSON document and superuser function calls

Bug 2487945 (CVE-2026-11945) - CVE-2026-11945 postgresql_anonymizer: PostgreSQL Anonymizer: Privilege escalation via malicious JSON document and superuser function calls

Summary: CVE-2026-11945 postgresql_anonymizer: PostgreSQL Anonymizer: Privilege escala...

Keywords:
Status:	NEW
Alias:	CVE-2026-11945
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488285 2488286
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-11 17:01 UTC by OSIDB Bzimport
Modified:	2026-06-12 09:25 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-11 17:01:46 UTC

PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions

Note You need to log in before you can comment on or make changes to this bug.