PostgreSQL Covert Timing Channel Vulnerability - CVE-2026-6478

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords the default in all supported releases. However current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4 17.10 16.14 15.18 and 14.23 are affected.