HIGHCVE-2026-2004Published 2026-02-12Modified 2026-02-26CNA PostgreSQL

CVE-2026-2004: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 14.21
Affected Products: 1

Fix available

14.2115.1616.1217.818.2

Affected packages

n/a / PostgreSQL
< 18.2 (from 18) · < 17.8 (from 17) · < 16.12 (from 16) · < 15.16 (from 15) · < 14.21 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

postgresql.org

Metrics

Fix available