FIND-20260410-004 · 2026-04-10 · Innovation Veille

CVE-2026-2006 — PostgreSQL RCE via multibyte character length (CVSS 8.8, HIGH)

cve HIGH
CVE-2026-2006 is a high-severity RCE vulnerability in PostgreSQL core text manipulation. Missing validation of multibyte character length allows a database user to issue crafted queries triggering a buffer overrun and executing arbitrary code as the OS user running PostgreSQL. CVSS: 8.8. Affected: PostgreSQL 14.x-18.x before 14.21/15.16/16.12/17.8/18.2. Fixed: February 12, 2026. ODS runs PostgreSQL 17 (before 17.8) and is vulnerable.

Source

https://www.postgresql.org/support/security/CVE-2026-2006/

ODS Impact

All ODS services share the ods-postgres container running PostgreSQL 17. The current deployment (17.x < 17.8) is vulnerable to CVE-2026-2006 which allows any authenticated database user to execute arbitrary code as the postgres OS user. This is a critical infrastructure risk. Upgrade to PostgreSQL 17.8 is mandatory. Also check CVE-2026-2005 (pgcrypto RCE, same severity).

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

postgresql cve rce database security high-severity buffer-overflow
Generated by ODS Innovation Veille · 2026-04-10T00:57:01+00:00