CVE-2026-2361 Overview
PostgreSQL Anonymizer contains a privilege escalation vulnerability that allows authenticated users to gain superuser privileges through the creation of a malicious temporary view. The vulnerability exists in the anon.get_tablesample_ratio function, which can be exploited to execute arbitrary code with elevated privileges when a specially crafted view is created.
Critical Impact
Authenticated database users can escalate to superuser privileges, enabling complete database takeover, unauthorized data access, and potential lateral movement within the database infrastructure.
Affected Products
- PostgreSQL Anonymizer versions prior to 3.0.1
- PostgreSQL 15 and later (requires CREATE privilege)
- PostgreSQL 14 and earlier versions (higher risk due to default public schema permissions)
Discovery Timeline
- 2026-02-11 - CVE CVE-2026-2361 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-2361
Vulnerability Analysis
This privilege escalation vulnerability (CWE-427: Uncontrolled Search Path Element) allows attackers to achieve superuser access through PostgreSQL Anonymizer's view handling mechanism. The attack exploits the trust relationship between temporary views and the anon.get_tablesample_ratio function.
The vulnerability is particularly dangerous because it can be triggered by any user with CREATE privileges on a schema. In PostgreSQL 14 and earlier versions, or instances that were upgraded from these versions, the public schema grants creation permissions by default, significantly expanding the attack surface.
When exploited, an attacker gains complete superuser control over the PostgreSQL instance, enabling unauthorized data access, modification of security configurations, and potential compromise of other databases on the same server.
Root Cause
The root cause lies in insufficient privilege validation when the anon.get_tablesample_ratio function processes views. The function executes code contained within view definitions without properly verifying the security context, allowing malicious code embedded in a temporary view to run with superuser privileges rather than the calling user's privileges.
Attack Vector
The attack is network-accessible and requires high privileges (CREATE permission) to execute. An attacker must:
- Create a temporary view that references a function containing malicious code
- Trigger the execution of anon.get_tablesample_ratio which processes the malicious view
- The malicious code executes with superuser privileges, bypassing normal access controls
The attack leverages PostgreSQL's view execution model where the Anonymizer extension processes view definitions. When the vulnerable function is called, it evaluates the view's underlying function without proper privilege isolation, allowing the embedded malicious payload to execute in an elevated security context.
Detection Methods for CVE-2026-2361
Indicators of Compromise
- Unexpected temporary views created in database schemas, particularly those referencing custom functions
- Unusual calls to anon.get_tablesample_ratio from non-administrative users
- Newly created superuser accounts or unexpected privilege grants in PostgreSQL
- Suspicious function definitions containing system commands or privilege manipulation code
Detection Strategies
- Monitor PostgreSQL logs for CREATE TEMPORARY VIEW statements followed by calls to anonymizer functions
- Implement audit logging for all privilege changes and superuser activity
- Deploy database activity monitoring to detect anomalous patterns in schema object creation
- Review function definitions for suspicious code, particularly those created by non-administrative users
Monitoring Recommendations
- Enable log_statement = 'all' in PostgreSQL configuration to capture all SQL statements
- Configure alerting for any new superuser account creation or privilege escalation events
- Implement real-time monitoring of the pg_roles and pg_auth_members system catalogs for unauthorized changes
- Review audit logs for patterns of temporary view creation followed by anonymizer function calls
How to Mitigate CVE-2026-2361
Immediate Actions Required
- Upgrade PostgreSQL Anonymizer to version 3.0.1 or later immediately
- Review and revoke unnecessary CREATE privileges from non-administrative users
- Audit existing temporary views and functions for malicious code
- For PostgreSQL 14 or upgraded instances, revoke public CREATE permissions on the public schema using REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Patch Information
The vulnerability has been resolved in PostgreSQL Anonymizer version 3.0.1 and later. Organizations should upgrade to the patched version as soon as possible. For detailed release information, refer to the GitLab Release Notes. Technical details about the vulnerability are available in GitLab Issue #617.
Workarounds
- Restrict CREATE privileges to only trusted administrative users until patching is complete
- Revoke default public schema permissions: REVOKE CREATE ON SCHEMA public FROM PUBLIC;
- Implement network segmentation to limit database access to authorized application servers only
- Consider temporarily disabling the PostgreSQL Anonymizer extension if not critical to operations
# Revoke public CREATE permissions on public schema
psql -c "REVOKE CREATE ON SCHEMA public FROM PUBLIC;"
# Review users with CREATE privileges
psql -c "SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE privilege_type = 'CREATE';"
# Disable anonymizer extension temporarily (if not critical)
psql -c "DROP EXTENSION IF EXISTS anon;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
