FIND-20260403-003 · 2026-04-03 · Innovation Veille

PostgreSQL CVE-2026-2005 — pgcrypto Heap Buffer Overflow RCE (CVSS 8.8)

cve HIGH
CVE-2026-2005 is a heap buffer overflow in the PostgreSQL pgcrypto contrib module with CVSS 3.0 score of 8.8 (High). A ciphertext provider can execute arbitrary code as the OS user running PostgreSQL. Affected versions: PostgreSQL 14.x before 14.21, 15.x before 15.16, 16.x before 16.12, 17.x before 17.8, and 18.x before 18.2. The fix was released on February 12, 2026 in the 17.8 patch. ODS currently tracks PostgreSQL 17.9 in last-versions.json but must verify the deployed version on all servers.

Source

https://www.postgresql.org/support/security/CVE-2026-2005/

ODS Impact

ODS PostgreSQL 17 container on srv-agents uses pgcrypto in the oid schema for password hashing and token encryption. This is an RCE vulnerability. PostgreSQL 17.8 (released Feb 12, 2026) contains the fix; ODS last-versions.json shows 17.9 which includes the patch. Verify that ods-postgres container is running 17.9 or later via: docker exec ods-postgres psql -U ods -c SELECT version();

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

postgresql cve security rce pgcrypto buffer-overflow
Generated by ODS Innovation Veille · 2026-04-03T07:06:11+00:00