CVE-2026-2361 in PostgreSQL Anonymizer
Summary
by MITRE • 02/11/2026
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a temporary view based on a function containing malicious code. When the anon.get_tablesample_ratio function is then called, the malicious code is executed with superuser privileges. This privilege elevation can be exploited by users having the CREATE privilege in PostgreSQL 15 and later. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version because the creation permission on the public schema is granted by default. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
This vulnerability exists within the PostgreSQL Anonymizer extension, which is designed to protect sensitive data by masking or replacing it with realistic but fake values. The flaw represents a privilege escalation vulnerability that allows authenticated users to elevate their privileges to superuser level through a carefully crafted database object creation. The vulnerability specifically leverages the anon.get_tablesample_ratio function which, when invoked, executes malicious code with elevated privileges. This represents a critical security flaw that directly violates the principle of least privilege and could enable attackers to gain complete control over database systems.
The technical mechanism behind this vulnerability involves a combination of PostgreSQL's privilege model and the anonymizer extension's implementation. Attackers with CREATE privileges can exploit the system by creating a temporary view that references a malicious function. When the anon.get_tablesample_ratio function is subsequently called, it triggers execution of the embedded malicious code with superuser privileges. This occurs because the anonymizer extension does not properly validate or sanitize the execution context of functions called through its API. The vulnerability is particularly concerning because it operates through legitimate database operations rather than requiring direct system-level access or exploiting other software weaknesses.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it can enable attackers to bypass database security controls entirely. Once elevated to superuser privileges, an attacker can access all database objects, modify system catalogs, create new users with administrative rights, and potentially exfiltrate sensitive data. The risk is amplified in environments where PostgreSQL 14 or earlier versions have been upgraded, as these installations retain default permissions on the public schema that grant CREATE privileges to all users. This default configuration creates an attack surface that persists even after upgrades, making the vulnerability particularly dangerous in production environments where such upgrades are common. The vulnerability affects PostgreSQL 15 and later versions but poses the greatest risk to legacy systems that have been upgraded from PostgreSQL 14 or earlier versions.
The mitigation strategy involves upgrading to PostgreSQL Anonymizer version 3.0.1 or later, which implements proper privilege validation and sanitization of function calls. Organizations should also review their database privilege assignments and consider revoking unnecessary CREATE privileges from users who do not require them. Database administrators should implement the principle of least privilege by restricting schema creation permissions and monitoring for unauthorized object creation. The vulnerability aligns with CWE-276, which covers improper privileges, and represents a specific case of privilege escalation through function execution. From an ATT&CK perspective, this vulnerability maps to T1078.004 (Valid Accounts: Cloud Accounts) and T1548.001 (Abuse Elevation Control Mechanism: Setuid and Setgid) as it allows elevation to system-level privileges through legitimate database operations. Organizations should also consider implementing database activity monitoring and alerting on unusual object creation patterns to detect potential exploitation attempts. The fix addresses the root cause by ensuring that function execution contexts are properly validated and that malicious code cannot be executed with elevated privileges through the anonymizer extension's API.