FIND-20260413-017 · 2026-04-13 · Innovation Veille

PostgreSQL 17.9 Security Release: CVE-2026-2006 RCE and CVE-2026-2007 Heap Overflow

cve HIGH
PostgreSQL 17.9 (released February 26, 2026) patches two critical vulnerabilities: CVE-2026-2006 is a critical buffer overflow in text manipulation functions allowing an authenticated database user to trigger RCE; CVE-2026-2007 is a heap buffer overflow in pg_trgm extension exploitable via crafted input strings. ODS uses PostgreSQL 17 as its primary database across all services. The ODS tracker shows 17.9 as current — confirm the running ods-postgres container is actually on 17.9.

Source

https://www.postgresql.org/support/security/

ODS Impact

CRITICAL: All ODS services share the ods-postgres container (ods-postgres:5432, host 127.0.0.1:5433). CVE-2026-2006 requires only authenticated DB access to trigger RCE. Verify ods-postgres Docker image version immediately. If not on 17.9, patch urgently.

Security Review

License: PostgreSQL License | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

postgresql cve rce security database critical infrastructure
Generated by ODS Innovation Veille · 2026-04-13T07:12:53+00:00