Unrated severityNVD Advisory· Published Feb 12, 2026· Updated Feb 26, 2026

PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code

CVE-2026-2004

Description

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

Affected products

PostgreSQL/intarray extensiondescription
PostgreSQL/PostgreSQLllm-fuzzy
Range: >=14 <14.21, >=15 <15.16, >=16 <16.12, >=17 <17.8, >=18 <18.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.postgresql.org/support/security/CVE-2026-2004/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000