Medium severity6.5NVD Advisory· Published May 14, 2026· Updated May 18, 2026
CVE-2026-6478
CVE-2026-6478
Description
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
39cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*range: <14.23
- (no CPE)range: <18.4, <17.10, <16.14, <15.18, <14.23
- osv-coords37 versionspkg:bitnami/postgresqlpkg:rpm/almalinux/libpqpkg:rpm/almalinux/libpq-develpkg:rpm/almalinux/pgauditpkg:rpm/almalinux/pg_repackpkg:rpm/almalinux/postgres-decoderbufspkg:rpm/almalinux/postgresqlpkg:rpm/almalinux/postgresql-contribpkg:rpm/almalinux/postgresql-docspkg:rpm/almalinux/postgresql-plperlpkg:rpm/almalinux/postgresql-plpython3pkg:rpm/almalinux/postgresql-pltclpkg:rpm/almalinux/postgresql-private-develpkg:rpm/almalinux/postgresql-private-libspkg:rpm/almalinux/postgresql-serverpkg:rpm/almalinux/postgresql-server-develpkg:rpm/almalinux/postgresql-staticpkg:rpm/almalinux/postgresql-testpkg:rpm/almalinux/postgresql-test-rpm-macrospkg:rpm/almalinux/postgresql-upgradepkg:rpm/almalinux/postgresql-upgrade-develpkg:rpm/opensuse/postgresql14&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql15&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql16&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql17&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/postgresql17&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql18&distro=openSUSE%20Tumbleweedpkg:rpm/suse/postgresql14&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql14&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql15&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql16&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql17&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/postgresql18&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/postgresql18&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 14.23.0+ 36 more
- (no CPE)range: < 14.23.0
- (no CPE)range: < 13.23-2.el8_10
- (no CPE)range: < 13.23-2.el8_10
- (no CPE)range: < 1.7.0-1.module_el8.9.0+3706+885c732e
- (no CPE)range: < 1.4.8-1.module_el8.9.0+3706+885c732e
- (no CPE)range: < 1.9.7-1.Final.module_el8.9.0+3706+885c732e
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 15.18-1.module_el8.10.0+4195+4569d728
- (no CPE)range: < 14.23-1.1
- (no CPE)range: < 15.18-1.1
- (no CPE)range: < 16.14-1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 17.10-1.1
- (no CPE)range: < 18.4-1.1
- (no CPE)range: < 14.23-160000.1.1
- (no CPE)range: < 14.23-160000.1.1
- (no CPE)range: < 15.18-160000.1.1
- (no CPE)range: < 15.18-160000.1.1
- (no CPE)range: < 16.14-160000.1.1
- (no CPE)range: < 16.14-160000.1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 17.10-160000.1.1
- (no CPE)range: < 18.4-160000.1.1
- (no CPE)range: < 18.4-160000.1.1
Patches
Vulnerability mechanics
References
1- www.postgresql.org/support/security/CVE-2026-6478/nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.