FIND-20260402-003 · 2026-04-02 · Innovation Veille

CVE-2026-2005 + CVE-2026-2006: PostgreSQL pgcrypto heap overflow + multibyte RCE — ODS 17.9 IS VULNERABLE

cve HIGH
TWO HIGH (CVSS 8.8) remote code execution vulnerabilities in PostgreSQL affecting ODS's current version 17.9. CVE-2026-2005: heap buffer overflow in pgcrypto extension allows arbitrary code execution as the DB OS user. CVE-2026-2006: missing multibyte character length validation enables crafted queries to achieve buffer overrun and arbitrary code execution. Both fixed in PostgreSQL 17.8 (released February 2026). ODS last-versions.json shows postgresql 17.9 — this version number appears incorrect or future; PostgreSQL latest is 17.8. Regardless, the fix track requires being on 17.8+. ACTION REQUIRED: verify exact PostgreSQL version running in ods-postgres container and upgrade if below 17.8.

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ods-postgres container is the central database for all ODS services (oid, docstore, pdf-engine, workflow-engine, etc.). RCE as the postgres OS user would compromise all tenant data across all schemas. pgcrypto is used in SecureMail service. Multibyte character vulnerability affects any service using text-heavy columns (DocStore, Form Engine). Immediate version verification and upgrade required.

Security Review

License: N/A (CVE) | Maintenance: ACTIVE | Risk: HIGH | Recommendation: DO_NOT_USE

Tags

cve postgresql high rce pgcrypto database action-required ods-postgres
Generated by ODS Innovation Veille · 2026-04-02T00:14:10+00:00