ALPINE-CVE-2026-6478

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2026-6478

Import Source

https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json

JSON Data

https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-6478

Upstream

CVE-2026-6478

Published

2026-05-14T14:16:25.463Z

Modified

2026-06-09T21:31:28.416745437Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

References

https://security.alpinelinux.org/vuln/CVE-2026-6478

Affected packages

Alpine:v3.20

postgresql15

Package

Name: postgresql15
Purl: pkg:apk/alpine/postgresql15?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.18-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.14-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

Alpine:v3.21

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.14-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

postgresql17

Package

Name: postgresql17
Purl: pkg:apk/alpine/postgresql17?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.10-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

Alpine:v3.22

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.14-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

postgresql17

Package

Name: postgresql17
Purl: pkg:apk/alpine/postgresql17?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.10-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

Alpine:v3.23

postgresql17

Package

Name: postgresql17
Purl: pkg:apk/alpine/postgresql17?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.10-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

postgresql18

Package

Name: postgresql18
Purl: pkg:apk/alpine/postgresql18?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.4-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

Alpine:v3.24

postgresql17

Package

Name: postgresql17
Purl: pkg:apk/alpine/postgresql17?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.10-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"

postgresql18

Package

Name: postgresql18
Purl: pkg:apk/alpine/postgresql18?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

18.4-r0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-6478.json"