CVE-2026-2004
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Analysis
PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21 contain insufficient input validation in the intarray extension's selectivity estimator function, enabling authenticated users with object creation privileges to execute arbitrary code with database server privileges. The vulnerability requires valid database credentials but allows complete system compromise through code execution at the OS level. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit database user permissions and restrict object creation privileges to trusted administrators only; document current PostgreSQL versions across all systems. Within 7 days: Implement network segmentation to limit database access to essential applications only; monitor for suspicious object creation activities in PostgreSQL logs. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today