FIND-20260329-017 · 2026-03-29 · Innovation Veille

CVE-2026-2005 PostgreSQL pgcrypto heap buffer overflow — patch available in 17.9

cve HIGH
CVE-2026-2005 is a heap buffer overflow in PostgreSQL pgcrypto (CVSS 8.8) disclosed February 12, 2026. A ciphertext provider can execute arbitrary code as the OS user running PostgreSQL. Patched versions are 18.2, 17.9, 16.12, 15.16, and 14.21. ODS runs PostgreSQL 17 — upgrade to 17.9 is required. The ODS oid, docstore, and billing-engine schemas use pgcrypto for encryption at rest. Last known ODS version was 17.9 (via the out-of-cycle February 26 release), confirming the patch is available. Immediate upgrade of the ods-postgres container is recommended.

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ods-postgres container (PostgreSQL 17): any schema using the pgcrypto extension is vulnerable. OID uses pgcrypto for password hashing. Billing Engine uses pgcrypto for sensitive field encryption. Upgrade ods-postgres image to postgres:17.9-alpine or later immediately.

Security Review

License: N/A | Maintenance: ACTIVE | Risk: LOW | Recommendation: DO_NOT_USE

Tags

postgresql cve pgcrypto security critical heap-overflow
Generated by ODS Innovation Veille · 2026-03-29T09:05:12+00:00