CVE-2026-2004
Last modified
CVE-2026-2004 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Postgresql | Postgresql | >= 14.0, < 14.21 |
| Postgresql | Postgresql | >= 15.0, < 15.16 |
| Postgresql | Postgresql | >= 16.0, < 16.12 |
| Postgresql | Postgresql | >= 17.0, < 17.8 |
| Postgresql | Postgresql | >= 18.0, < 18.2 |
References
- https://www.postgresql.org/support/security/CVE-2026-2004/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-2004?
How severe is CVE-2026-2004?
How do I fix CVE-2026-2004?
Are you affected by CVE-2026-2004?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST