CVE-2026-2004 — Improper Validation of Specified Type of Input in Postgresql

CWE-1287 — Improper Validation of Specified Type of Input16 documents9 sources

Severity

8.8HIGHNVD

OSV4.3

EPSS

0.0%

top 85.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Debian Postgresql-13 Debian Postgresql-15 +2 more

Timeline

PublishedFeb 12

Latest updateMar 4

Description

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶debiandebian/postgresql-13< postgresql-13 13.23-0+deb11u2 (bullseye)

▶debiandebian/postgresql-15< postgresql-13 13.23-0+deb11u2 (bullseye)

▶debiandebian/postgresql-17< postgresql-13 13.23-0+deb11u2 (bullseye)

▶debiandebian/postgresql-18< postgresql-13 13.23-0+deb11u2 (bullseye)

▶CVEListV5postgresql/postgresql18 — 18.2+4

🔴Vulnerability Details

OSV

postgresql-14, postgresql-16, postgresql-17 vulnerabilities↗2026-03-04

▶

CVEList

PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code↗2026-02-12

▶

GHSA

GHSA-qw3h-8vxv-jf6c: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code↗2026-02-12

▶

OSV

CVE-2026-2004: Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code↗2026-02-12

▶

💥Exploits & PoCs

Exploit-DB

APSIS Pound 1.5 - Remote Format String↗2004-05-03

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2026-03-04

▶

Red Hat

postgresql: PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code↗2026-02-12

▶

Debian

CVE-2026-2004: postgresql-13 - Missing validation of type of input in PostgreSQL intarray extension selectivity...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2004 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-3172 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-2003 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-2005 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-2006 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶