CVE-2026-2360 Overview
PostgreSQL Anonymizer contains a privilege escalation vulnerability that allows a database user to gain superuser privileges by creating a custom operator in the public schema containing malicious code. This operator is subsequently executed with superuser privileges when the extension is created, enabling complete database compromise.
Critical Impact
A lower-privileged database user can escalate to superuser privileges, potentially gaining full control over the PostgreSQL instance and all data contained within.
Affected Products
- PostgreSQL Anonymizer versions prior to 3.0.1
- PostgreSQL 14 and instances upgraded from PostgreSQL 14 or earlier versions (higher risk)
- PostgreSQL 15 and later with non-default schema configurations granting CREATE privilege to untrusted users
Discovery Timeline
- 2026-02-11 - CVE CVE-2026-2360 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-2360
Vulnerability Analysis
This vulnerability represents a classic privilege escalation through operator hijacking in PostgreSQL extensions. The attack exploits the order in which PostgreSQL resolves operators during extension installation. When PostgreSQL Anonymizer is installed, it searches for operators in the search_path, which by default includes the public schema before other schemas.
An attacker with the ability to create objects in the public schema can define a custom operator with a name that matches one used by the Anonymizer extension. When a database superuser subsequently creates or enables the PostgreSQL Anonymizer extension, the malicious operator is resolved and executed in the superuser context, granting the attacker elevated privileges.
The severity of this vulnerability varies based on PostgreSQL version. PostgreSQL 14 and earlier versions are at higher risk because the public schema grants CREATE privileges to all database users by default. Starting with PostgreSQL 15, this default behavior was changed to revoke CREATE permissions on the public schema, significantly reducing the attack surface. However, the vulnerability can still be exploited in PostgreSQL 15+ if administrators explicitly grant CREATE privileges on schemas included in their search_path to untrusted users.
Root Cause
The root cause is classified as CWE-427 (Uncontrolled Search Path Element). The PostgreSQL Anonymizer extension does not adequately control the search path used during operator resolution, allowing user-controlled schemas to inject malicious operators that get executed with elevated privileges during extension initialization.
Attack Vector
The attack is network-accessible and requires high privileges (the ability to create database objects). The attacker must:
- Have CREATE privileges on a schema that appears in the superuser's search_path
- Create a malicious custom operator that mimics an operator used by the Anonymizer extension
- Wait for a superuser to install or reinitialize the PostgreSQL Anonymizer extension
- The malicious operator code executes with superuser privileges
The vulnerability exploitation requires the confluence of these conditions, making the attack complexity high. However, successful exploitation results in complete compromise of database confidentiality, integrity, and availability with changed scope, as the attacker can affect resources beyond the originally authorized scope.
Detection Methods for CVE-2026-2360
Indicators of Compromise
- Unusual custom operators created in the public schema or other commonly used schemas
- Operators with names matching those used by PostgreSQL Anonymizer extension
- Database audit logs showing operator creation by non-administrative users followed by extension operations
- Unexpected privilege grants or role modifications in PostgreSQL
Detection Strategies
- Monitor PostgreSQL audit logs for CREATE OPERATOR statements from non-administrative accounts
- Review existing operators in the public schema using \do public.* in psql
- Implement database activity monitoring to alert on schema object creation in sensitive schemas
- Audit search_path configurations for all database users and roles
Monitoring Recommendations
- Enable PostgreSQL logging with log_statement = 'ddl' to capture all DDL operations
- Deploy database activity monitoring solutions that can detect privilege escalation patterns
- Regularly audit database objects in the public schema and compare against a known-good baseline
- Monitor for unexpected superuser activity following extension installations
How to Mitigate CVE-2026-2360
Immediate Actions Required
- Upgrade PostgreSQL Anonymizer to version 3.0.1 or later immediately
- Audit the public schema for suspicious or unexpected custom operators
- Review and restrict CREATE privileges on schemas included in superuser search paths
- For PostgreSQL 14 or upgraded instances, revoke CREATE on the public schema from untrusted users
Patch Information
The vulnerability is resolved in PostgreSQL Anonymizer version 3.0.1 and all subsequent versions. Administrators should update to the latest version available from the official repository. For detailed information about the vulnerability and fix, refer to GitLab Issue #616.
Workarounds
- Revoke CREATE privileges on the public schema from all non-administrative users: REVOKE CREATE ON SCHEMA public FROM PUBLIC;
- Configure a restrictive search_path that does not include user-accessible schemas when performing administrative operations
- Use schema-qualified object references in the extension to prevent operator hijacking
- Follow PostgreSQL security best practices as documented in the PostgreSQL DDL Schemas Documentation
# Revoke CREATE privileges on public schema
psql -U postgres -c "REVOKE CREATE ON SCHEMA public FROM PUBLIC;"
# Verify current permissions on public schema
psql -U postgres -c "\dn+ public"
# List all operators in public schema for audit
psql -U postgres -c "SELECT * FROM pg_operator WHERE oprnamespace = 'public'::regnamespace;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
