CVE-2026-6478

Description

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CVSS v3.1 Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS — Exploit Prediction

0.0008

Probability of exploitation

0.23%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-385 CWE-385

Affected Products

Vendor	Product	Versions
postgresql	postgresql	< 14.23
postgresql	postgresql	15.0 — 15.18
postgresql	postgresql	16.0 — 16.14
postgresql	postgresql	17.0 — 17.10
postgresql	postgresql	18.0 — 18.4

References

Advisories & Patches

https://www.postgresql.org/support/security/CVE-2026-6478/

Frequently Asked Questions

What is CVE-2026-6478? +

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. It has a CVSS v3.1 base score of 6.5 (MEDIUM).

How severe is CVE-2026-6478? +

CVE-2026-6478 has a CVSS v3.1 score of 6.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0008, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-6478? +

CVE-2026-6478 affects products from postgresql, specifically: postgresql. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-6478? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-29780

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 …

CVE-2025-59432

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) …

CVE-2024-11862

Non constant time cryptographic operation in Devolutions.XTS.NET 2024.11.19 and earlier allows an attacker to render half of the encryption key …

CVE-2025-53826 9.8

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, …

CVE-2025-59425 7.5

vLLM is an inference and serving engine for large language models (LLMs). Before version 0.11.0rc2, the API key support in …

CVE-2025-0306 7.4

A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker …