CVE-2026-2004 is a vulnerability in the PostgreSQL intarray extension's selectivity estimator function caused by improper validation of the specified input type. This flaw allows an attacker who can create database objects to execute arbitrary code on the host operating system with the same privileges as the PostgreSQL server process. The vulnerability affects multiple major PostgreSQL versions before 18.2, 17.8, 16.12, 15.16, and 14.21, indicating a broad impact across many deployments. The root cause is the failure to validate input types correctly, which can be exploited to inject malicious code during the execution of the selectivity estimator. The CVSS 3.1 score of 8.8 reflects a high-severity issue with network attack vector, low attack complexity, requiring privileges but no user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability presents a critical risk to PostgreSQL users, especially those with less restrictive database permissions. The flaw underscores the importance of input validation in database extensions and the risks posed by elevated privileges within database environments.

The vulnerability allows attackers with object creation privileges to execute arbitrary code as the operating system user running PostgreSQL, potentially leading to full system compromise. This can result in unauthorized data access, data modification, or destruction, and disruption of database availability. Organizations relying on PostgreSQL for critical applications could face severe operational impacts, including data breaches, service outages, and loss of trust. The ability to execute code at the OS level elevates the threat beyond typical SQL injection or database-level attacks, enabling attackers to pivot to other parts of the network or deploy persistent malware. Given PostgreSQL's widespread use in enterprises, cloud providers, and government systems, the impact could be extensive if exploited. The requirement for object creation privileges limits exploitation to insiders or attackers who have already gained some level of access, but the potential damage remains significant.

Organizations should immediately upgrade affected PostgreSQL instances to versions 18.2, 17.8, 16.12, 15.16, or 14.21 or later where the vulnerability is patched. Until patches are applied, restrict database permissions to limit object creation capabilities to trusted users only. Implement strict role-based access controls (RBAC) and audit database activities to detect unauthorized object creation attempts. Disable or remove the intarray extension if it is not required for application functionality. Employ network segmentation and host-based security controls to limit exposure of PostgreSQL servers. Regularly monitor PostgreSQL logs for suspicious activities related to object creation or unusual query patterns. Consider deploying runtime application self-protection (RASP) or database activity monitoring (DAM) solutions to detect exploitation attempts. Finally, maintain an incident response plan tailored to database compromise scenarios to respond swiftly if exploitation is suspected.