CVE-2026-2004 – This vulnerability in PostgreSQL's intarray ext... (How to Fix)

Q: What is the severity of CVE-2026-2004?

CVE-2026-2004 has a CVSS score of 8.8 (HIGH). This vulnerability in PostgreSQL's intarray extension allows attackers to execute arbitrary code with the privileges of the database operating system user. It affects PostgreSQL installations with the intarray extension enabled, specifically versions before 18.2, 17.8, 16.12, 15.16, and 14.21.

📋 TL;DR

This vulnerability in PostgreSQL's intarray extension allows attackers to execute arbitrary code with the privileges of the database operating system user. It affects PostgreSQL installations with the intarray extension enabled, specifically versions before 18.2, 17.8, 16.12, 15.16, and 14.21.

💻 Affected Systems

Products:

PostgreSQL

Versions: All versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21

Operating Systems: All operating systems running affected PostgreSQL versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if the intarray extension is installed and enabled. The extension is not installed by default but may be added manually or by applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with database user privileges leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Database compromise allowing data exfiltration, privilege escalation, or denial of service attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, though database integrity could still be compromised.

🌐 Internet-Facing: HIGH - Internet-facing PostgreSQL instances with intarray extension are directly exploitable by remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but requires database access and intarray privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires database access and CREATE privilege on the intarray extension. The vulnerability is in a selectivity estimator function that can be triggered through crafted queries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PostgreSQL 18.2, 17.8, 16.12, 15.16, or 14.21

Vendor Advisory: https://www.postgresql.org/support/security/CVE-2026-2004/

Restart Required: Yes

Instructions:

1. Backup your database. 2. Stop PostgreSQL service. 3. Upgrade to patched version using your distribution's package manager or PostgreSQL binaries. 4. Restart PostgreSQL service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable intarray extension

all

Remove or disable the vulnerable intarray extension if not required

DROP EXTENSION intarray;

Restrict CREATE privileges

all

Revoke CREATE privilege on intarray extension from non-admin users

REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE ALL ON SCHEMA public FROM PUBLIC;

🧯 If You Can't Patch

Disable the intarray extension immediately if not essential for operations
Implement strict network controls to limit database access to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check PostgreSQL version with 'SELECT version();' and verify if intarray extension is installed with 'SELECT * FROM pg_extension WHERE extname = 'intarray';'

Check Version:

SELECT version();

Verify Fix Applied:

After patching, confirm version is 18.2, 17.8, 16.12, 15.16, 14.21 or higher with 'SELECT version();'

📡 Detection & Monitoring

Log Indicators:

Unusual queries involving intarray functions
Failed authentication attempts followed by intarray-related queries
Errors related to intarray selectivity estimator

Network Indicators:

Unusual database connection patterns from unexpected sources
High volume of complex queries to PostgreSQL

SIEM Query:

source="postgresql.log" AND ("intarray" OR "selectivity" OR "CVE-2026-2004")

📊 Metadata

CVE ID: CVE-2026-2004

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1287

EPSS Score: 0.1% exploit probability (26.5th percentile)

Published: February 12, 2026

Last Updated: February 20, 2026

🔗 References

https://www.postgresql.org/support/security/CVE-2026-2004/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2004, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

Postgresql by Postgresql

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable intarray extension

Restrict CREATE privileges

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities