Cyber Resilience

CVE-2026-6478

MediumUpdated

Published: 14 May 2026

Published
14 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0056 42.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6478 is a medium-severity Covert Timing Channel (CWE-385) vulnerability in Postgresql Postgresql. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords…

more

originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
Why these techniques?

Timing side-channel in MD5 password comparison directly enables more efficient password cracking to recover valid credentials.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

postgresql
postgresql
≤ 14.23 · 15.0 — 15.18 · 16.0 — 16.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-385

Directly targets covert timing channels by requiring identification and bandwidth estimation, enabling mitigation that reduces or eliminates their usability.

References