PostgreSQL MD5 Timing Channel CVE-2026-6478 (v<18.4/17.10/16.14/15.18/14.23): CVE-2026-6478 May 2026

PostgreSQL MD5 Timing Channel CVE-2026-6478 (v<18.4/17.10/16.14/15.18/14.23)
CVE-2026-6478 Published on May 14, 2026

PostgreSQL discloses MD5-hashed passwords via covert timing channel
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

Weakness Type

Covert Timing Channel

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

Products Associated with CVE-2026-6478

Want to know whenever a new CVE is published for PostgreSQL? stack.watch will email you.

PostgreSQL MD5 Timing Channel CVE-2026-6478 (v<18.4/17.10/16.14/15.18/14.23)CVE-2026-6478 Published on May 14, 2026

Weakness Type

Covert Timing Channel

Products Associated with CVE-2026-6478

PostgreSQL MD5 Timing Channel CVE-2026-6478 (v<18.4/17.10/16.14/15.18/14.23)
CVE-2026-6478 Published on May 14, 2026