CVE-2026-2004
HIGH8.8EPSS 0.06%PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code
Published: 2/12/2026Modified: 4/28/2026
Also known as:ALPINE-CVE-2026-2004
Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Affected packages (9)
- Alpine/postgresql15from 0, < 15.16-r0
- Alpine/postgresql16from 0, < 16.12-r0
- Alpine/postgresql17from 0, < 17.8-r0
- Alpine/postgresql18from 0, < 18.2-r0
- Bitnami/postgresqlfrom 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
- Debian/postgresql-13from 0, < 13.23-0+deb11u2
- Debian/postgresql-15from 0, < 15.16-0+deb12u1
- Debian/postgresql-17from 0, < 17.8-0+deb13u1
- Debian/postgresql-18from 0, < 18.2-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |