CVE-2026-2360
Published: 11 February 2026
Summary
CVE-2026-2360 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Postgresql (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws, directly addressing this CVE by upgrading PostgreSQL Anonymizer to version 3.0.1 or later where the vulnerability is fixed.
AC-6 enforces least privilege, preventing untrusted users from obtaining CREATE privileges on the public schema needed to plant the malicious operator.
CM-6 mandates secure configuration settings such as revoking CREATE on the public schema and restricting search_path, aligning with PostgreSQL 15+ defaults that mitigate the untrusted search path exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation to superuser via malicious operator planted in search path and executed during extension creation (CWE-427).
NVD Description
PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a custom operator in the public schema and place malicious code in that operator. This operator will later be executed with superuser privileges when the…
more
extension is created. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved if a superuser adds a new schema in her/his own search_path and grants the CREATE privilege on that schema to untrusted users, both actions being clearly discouraged by the PostgreSQL documentation. The problem is resolved in PostgreSQL Anonymizer 3.0.1 and further versions
Deeper analysisAI
CVE-2026-2360 is a privilege escalation vulnerability in PostgreSQL Anonymizer, a PostgreSQL extension. It enables a user to gain superuser privileges by creating a custom operator in the public schema containing malicious code, which is later executed with superuser privileges during extension creation. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-427 (Untrusted Search Path). Risk is elevated in PostgreSQL 14 or instances upgraded from PostgreSQL 14 or earlier versions.
An attacker with high privileges required to create objects in the public schema can exploit this by planting the malicious operator, leading to arbitrary code execution as superuser upon extension installation. In PostgreSQL 15 and later, public schema creation permissions are revoked by default, limiting exploitation to scenarios where a superuser explicitly adds a schema to their search_path and grants CREATE privileges to untrusted users—actions discouraged by PostgreSQL documentation.
The issue is fixed in PostgreSQL Anonymizer version 3.0.1 and later, as detailed in the project's NEWS.md and issue tracker. PostgreSQL documentation on schemas reinforces best practices to avoid granting CREATE on public or custom schemas to untrusted users.
Details
- CWE(s)