CVE-2026-2004

Published: Feb 12, 2026Modified: Feb 20, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 (Secondary)

Description

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected (5)

Products: Postgresql: Postgresql

Postgresql

1 product

Postgresql

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	From 14.0 to 14.21
Postgresql Postgresql	From 15.0 to 15.16
Postgresql Postgresql	From 16.0 to 16.12
Postgresql Postgresql	From 17.0 to 17.8
Postgresql Postgresql	From 18.0 to 18.2

Related CWEs

CWE-1287

Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

References (1)

https://www.postgresql.org/support/security/CVE-2026-2004/

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Vendor Advisory

Timeline

No history available yet.