cbcvebase.
CVE-2026-2004
published 2026-02-12

CVE-2026-2004: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.78%
51.5th percentile
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected

14 ranges
VendorProductVersion rangeFixed in
debianpostgresql-13< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-15< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-17< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
debianpostgresql-18< postgresql-13 13.23-0+deb11u2 (bullseye)postgresql-13 13.23-0+deb11u2 (bullseye)
postgresqlpostgresql< 14.2114.21
postgresqlpostgresql>= 14.0 < 14.2114.21
postgresqlpostgresql>= 15 < 15.1615.16
postgresqlpostgresql>= 15.0 < 15.1615.16
postgresqlpostgresql>= 16 < 16.1216.12
postgresqlpostgresql>= 16.0 < 16.1216.12
postgresqlpostgresql>= 17 < 17.817.8
postgresqlpostgresql>= 17.0 < 17.817.8
postgresqlpostgresql>= 18 < 18.218.2
postgresqlpostgresql>= 18.0 < 18.218.2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the PostgreSQL intarray extension's selectivity estimator function — monitor for unexpected object creation (e.g., CREATE FUNCTION, CREATE OPERATOR CLASS) by non-superuser roles that interact with intarray operators, as exploitation requires an 'object creator' role.
  • Audit PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 for the presence of the intarray extension and restrict CREATE privilege to trusted users until patched.
  • ·No public exploit exists for this CVE as of the time of source publication; exploitation probability (EPSS) is relatively low at 14.8 percentile.
  • ·Debian 11 and Red Hat 6/7 have no fix available; environments running these distributions remain exposed.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.