Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Published: 2026-02-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The PostgreSQL intarray extension includes a selectivity estimator that improperly accepts arbitrary input types, unvalidated. This flaw permits an object creator—a user with permissions to create objects within the database—to supply malicious data that triggers the estimator and ultimately leads to arbitrary code execution under the operating system user running PostgreSQL. The flaw represents a classic input‑validation weakness (CWE‑1287) and results in full control over the host where the database server runs. The likely attack vector is an object creator with appropriate privileges within the database.

Affected Systems

Affected products are PostgreSQL database releases before 18.2, 17.8, 16.12, 15.16 and 14.21, covering eleven major releases. The vulnerability is present in the intarray extension as shipped with these versions and persists until the specified patch levels. Administrators using any of the listed versions should consider their system impacted.

Risk and Exploitability

The base CVSS score of 8.8 indicates high severity, yet the EPSS score of less than one percent suggests that current exploit activity is low but not impossible. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to act as an object creator within the database, a role typically granted to administrators but potentially reachable by privilege‑escalation attacks. Because the code runs with the operating‑system user privileges of PostgreSQL, successful exploitation results in full account compromise of that OS user.

Generated by OpenCVE AI on April 17, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PostgreSQL 18.2, 17.8, 16.12, 15.16, 14.21 or a newer release that includes the patched intarray implementation.
  • If an upgrade cannot be performed immediately, disable or remove the intarray extension until a patch is applied, or limit creation of extensions and functions to highly trusted users.
  • After applying the patch, review and restrict database roles so that only necessary users retain object‑creation privileges, and audit for any misuse of the intarray extension.

Generated by OpenCVE AI on April 17, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4524-1 postgresql-13 security update
Debian DSA Debian DSA DSA-6132-1 postgresql-15 security update
Debian DSA Debian DSA DSA-6133-1 postgresql-17 security update
History

Fri, 20 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
Vendors & Products Postgresql
Postgresql postgresql

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Title PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Postgresql Postgresql
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-02-26T14:44:21.641Z

Reserved: 2026-02-05T18:17:54.681Z

Link: CVE-2026-2004

cve-icon Vulnrichment

Updated: 2026-02-12T14:32:49.462Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T14:16:02.213

Modified: 2026-02-20T19:53:53.960

Link: CVE-2026-2004

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-12T13:00:08Z

Links: CVE-2026-2004 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses