CVE-2026-6478 - Vulnerability Details - OpenCVE

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Postgresql	Postgresql

No data.

No data.

References

Link	Providers
https://www.postgresql.org/support/security/CVE-2026-6478/

History

Thu, 14 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Postgresql Postgresql postgresql
Vendors & Products		Postgresql Postgresql postgresql

Thu, 14 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Title		PostgreSQL discloses MD5-hashed passwords via covert timing channel
Weaknesses		CWE-385
References		https://www.postgresql.org/support/security/CVE-2026-6478/
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2026-05-14T13:00:13.174Z

Updated: 2026-05-14T15:33:03.332Z

Reserved: 2026-04-17T00:44:57.549Z

Link: CVE-2026-6478

Vulnrichment

Updated: 2026-05-14T15:32:49.316Z

NVD

Status : Awaiting Analysis

Published: 2026-05-14T14:16:25.463

Modified: 2026-05-14T16:21:23.190

Link: CVE-2026-6478

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6478", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2026-04-17T00:44:57.549Z", "datePublished": "2026-05-14T13:00:13.174Z", "dateUpdated": "2026-05-14T15:33:03.332Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-05-14T13:00:13.174Z"}, "title": "PostgreSQL discloses MD5-hashed passwords via covert timing channel", "descriptions": [{"lang": "en", "value": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "18.4", "status": "affected", "version": "18", "versionType": "rpm"}, {"lessThan": "17.10", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.14", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.18", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.23", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-385", "type": "CWE", "description": "Covert Timing Channel"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6478/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "configurations": [{"lang": "en", "value": "victim user has a usable MD5 password"}], "workarounds": [{"lang": "en", "value": "reset password with password_encryption=scram-sha-256"}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Joe Conway for reporting this problem."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-14T15:32:42.868340Z", "id": "CVE-2026-6478", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T15:33:03.332Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-14T15:32:42.868340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-14T15:32:49.316Z"}}], "cna": {"title": "PostgreSQL discloses MD5-hashed passwords via covert timing channel", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Joe Conway for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "18", "lessThan": "18.4", "versionType": "rpm"}, {"status": "affected", "version": "17", "lessThan": "17.10", "versionType": "rpm"}, {"status": "affected", "version": "16", "lessThan": "16.14", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.18", "versionType": "rpm"}, {"status": "affected", "version": "0", "lessThan": "14.23", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2026-6478/"}], "workarounds": [{"lang": "en", "value": "reset password with password_encryption=scram-sha-256"}], "descriptions": [{"lang": "en", "value": "Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-385", "description": "Covert Timing Channel"}]}], "configurations": [{"lang": "en", "value": "victim user has a usable MD5 password"}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-05-14T13:00:13.174Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6478", "state": "PUBLISHED", "dateUpdated": "2026-05-14T15:33:03.332Z", "dateReserved": "2026-04-17T00:44:57.549Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2026-05-14T13:00:13.174Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.2"}