CVE-2026-2004 - PostgreSQL intarray extension selectivity estimator executes arbitrary code

First Published: 2026/02/12

Important: This is an assessment of the impact of CVE-2026-2004 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Improper validation of input types in the PostgreSQL intarray extension allows an object creator to execute arbitrary code as the operating system user running the database server. An authenticated user with object creation privileges can bypass type validation checks in the selectivity estimator function to compromise the underlying host.

Vulnerability details

CVE-ID: CVE-2026-2004

CVE Publish Date: 2026-02-12

CVSS Base Score: 8.8

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products and versions

PostgreSQL

• All versions prior to 18.2
• All versions prior to 17.8
• All versions prior to 16.12
• All versions prior to 15.16
• All versions prior to 14.21

EDB Postgres Extended Server

• All versions prior to 18.2.0
• All versions prior to 17.8.0
• All versions prior to 16.12.0
• All versions prior to 15.16.0
• All versions prior to 14.21.0

EDB Postgres Advanced Server

• All versions prior to 18.2.0
• All versions prior to 17.8.0
• All versions prior to 16.12.0
• All versions prior to 15.16.0
• All versions prior to 14.21.0

Remediation/fixes

EDB Postgres Extended Server

EDB Postgres Advanced Server

References

• CVSS Calculator v3.1
• https://www.postgresql.org/support/security/CVE-2026-2004/

Related information

• EnterpriseDB
• EDB Blogs link