Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities

PostgreSQL has become the de‑facto relational database for modern cloud applications, powering everything from SaaS platforms to data‑intensive analytics pipelines. Wiz’s ZeroDay.Cloud competition, hosted alongside Black Hat Europe, deliberately targets high‑impact open‑source projects to surface hidden risks. By scanning more than a million cloud instances, Wiz discovered that PostgreSQL appears in roughly 80% of environments, and alarmingly, 45% of those are reachable from the public internet—a configuration that turns a simple login prompt into a potential gateway for attackers.

The two CVEs uncovered stem from long‑standing flaws in the pgcrypto extension, a module many organizations trust for encryption and signing operations. CVE‑2026‑2005 triggers a heap buffer overflow in the `pgp_parse_pubenc_sesskey` function, allowing an attacker with basic create privileges to overwrite adjacent memory and ultimately execute commands as the database owner. CVE‑2026‑2006 exploits inadequate UTF‑8 validation in `pgp_sym_decrypt`, causing out‑of‑bounds reads and writes that can corrupt the process heap and hijack settings such as `search_path`. Both vulnerabilities enable full control over the database instance, exposing sensitive data and providing a foothold for lateral movement within the host network.

PostgreSQL responded swiftly, back‑porting fixes to all supported branches from 14.21 through 18.2 in early February 2026. Administrators should prioritize these updates, restrict extension creation to trusted roles, and audit logs for anomalous pgcrypto or JSON activity. The episode serves as a reminder that legacy code can linger unnoticed for decades, especially in open‑source components that receive less commercial scrutiny. Ongoing vigilance, regular patch cycles, and hardened network exposure policies are essential to safeguard the massive data ecosystems that rely on PostgreSQL.