CVE-2026-6478

ADVISORY - nist

Summary

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-385⁠

Covert Timing Channel

Impacted images

Advisories

NIST

CREATED

12 hours ago

UPDATED

10 hours ago

ADVISORY IDCVE-2026-6478⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.5medium

Alpine

CREATED

6 hours ago

UPDATED

6 hours ago

ADVISORY IDCVE-2026-6478⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

10 hours ago

UPDATED

7 hours ago

ADVISORY IDCVE-2026-6478⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY