Primary

Context

PostgreSQL Covert Timing Channel Vulnerability in MD5 Password Authentication

Vulnerability

Patched

A covert timing channel vulnerability has been identified in PostgreSQL authentication when comparing MD5-hashed passwords. This issue allows an attacker to recover user credentials sufficient for authentication. The vulnerability does not affect passwords hashed with scram-sha-256, which is the default in all supported PostgreSQL releases. However, databases upgraded from PostgreSQL 13 or earlier may still contain MD5-hashed passwords. Affected versions include those prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23.

Impact

Exploitation of this vulnerability allows for the recovery of MD5-hashed passwords, which can be used to authenticate as the corresponding user.

Remediation

Users can upgrade to PostgreSQL versions 18.4, 17.10, 16.14, 15.18, or 14.23 to address this vulnerability.

Added: May 14, 2026, 2:22 PM

Updated: May 14, 2026, 2:22 PM

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

5.9

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.1

impact

2.5

exploitability

5.9

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PostgreSQL Covert Timing Channel Vulnerability in MD5 Password Authentication

Vulnerability

Impact

Remediation

Affected Products

PostgreSQL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating