CVE-2026-2004

Advisory lineage Upstream: 0 Downstream: 65

Downstream

ALPINE-CVE-2026-2004 DEBIAN-CVE-2026-2004 DSA-6132-1 DSA-6133-1 MGASA-2026-0041 OPENSUSE-SU-2026:10190-1

Analyzed

Published: 12 Feb 2026, 13:00

Last modified:26 Feb 2026, 14:44

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

8.8 HIGH

v3.1 (cve.org)

EPSS Score

0.06% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

12 Feb 2026, 13:00

Published

Vulnerability first disclosed

26 Feb 2026, 14:44

Last Modified

Vulnerability information updated

Description

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.06%• Percentile: 19%

Techniques & Countermeasures

CWE-1287•Improper Validation of Specified Type of Input
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Affected Systems

postgresql•postgresql
≥ 14.0, < 14.21 | ≥ 15.0, < 15.16 | ≥ 16.0, < 16.12 | ≥ 17.0, < 17.8 | ≥ 18.0, < 18.2

References (1)

https://www.postgresql.org/support/security/CVE-2026-2004/