Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities
Researchers reveal 20-year-old PostgreSQL flaws in pgcrypto at Wiz ZeroDay.Cloud event.
Summary
Cybersecurity researchers exploited two critical vulnerabilities (CVE-2026-2005 and CVE-2026-2006) in PostgreSQL's pgcrypto extension during Wiz's ZeroDay.Cloud hacking competition in December 2025. The flaws, dating back to 2005, enable heap buffer overflows allowing attackers with basic database privileges to escalate to database owner access. PostgreSQL released patches across versions 14.21 to 18.2 in February 2026, with Wiz reporting PostgreSQL runs in 80% of scanned cloud environments, with 45% exposed to the public internet.
Full text
SecurityWiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities Researchers revealed 20-year-old PostgreSQL flaws at Wiz ZeroDay.Cloud event, exposing critical bugs in pgcrypto and prompting urgent patches for database security. byWaqasMay 4, 20262 minute read Cybersecurity researchers participating in Wiz’s ZeroDay.Cloud hacking event in London, England, exploited two critical vulnerabilities in PostgreSQL, the database that runs behind countless enterprise applications. The event took place in December 2025, but details were only released on May 4, 2026. What is the ZeroDay.Cloud Event? ZeroDay.Cloud is a security research event created by Google-owned Wiz, Inc. It is a cloud and AI hacking competition where researchers uncover zero-day vulnerabilities in widely used open-source software. Targets include systems like PostgreSQL, Redis, Kubernetes, the Linux kernel, and web servers. The event was announced on September 30, 2025, and the first live competition took place on December 10–11, 2025, in London during Black Hat Europe. PostgreSQL Vulnerabilities These vulnerabilities, tracked as CVE-2026-2005 and CVE-2026-2006, date back to 2005 and remained unnoticed in the pgcrypto extension, a standard tool for encryption tasks that’s considered safe by default. Wiz ran the numbers after the findings and saw PostgreSQL in 80% of cloud environments they scanned, with 45% of those instances open to the public internet. That setup turns a database login into direct access. According to Wiz’s technical blog post shared with Hackread.com, addressing the CVE-2026-2005 vulnerability explained that it hits a function called pgp_parse_pubenc_sesskey during public-key decryption in pgcrypto. Attackers send it a crafted PGP message that tricks the code into copying too many bytes into a fixed-size buffer, spilling over into heap memory. From there, a user with basic create privileges loads the extension and chains leaks, writes, and privilege jumps to run commands as the database owner. The second report on CVE-2026-2006 describes a similar flaw in symmetric decryption via pgp_sym_decrypt. Without proper checks, malformed UTF-8 slips through PostgreSQL’s string handlers like pg_mblen and pg_utf_mblen, leading to out-of-bounds reads or writes. Attackers can use this to corrupt memory and gain control over execution, including hijacking settings like search_path to trigger system calls. It is worth mentioning that the CVE-2026-2005 vulnerability was identified by Team Xint Code, and the CVE-2026-2006 vulnerability was identified by Team Bugz Bunnies. Additionally, Team Xint Code spotted a third issue in MariaDB, assigned CVE-2026-32710. This heap buffer overflow in the JSON_SCHEMA_VALID function lets any logged-in user hit it with one SQL query and potentially run code or crash the server. Patches and Mitigation PostgreSQL patched both flaws across its main branches, from 14.21 up to 18.2, with commits in early February and releases by the 12th. MariaDB fixed the issue in the 11.4.10 and 11.8.6 versions on February 4, 2026. Database administrators should apply updates immediately, restrict extension creation, and audit logs for suspicious pgp or JSON activity. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts CybersecurityGoogleMariaDBPostgreSQLTechnologyVulnerabilityWizZeroDay.Cloud Leave a Reply Cancel reply View Comments (0) Related Posts Security Crypto Cyber Crime News Technology A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet The KmsdBot was known for targeting both Linux and Windows devices. byDeeba Ahmed Security Privacy Tinder flaw exposes user swipe, match and photos to strangers Tinder is an online dating app that was launched in 2012 and allows members to swipe through profiles… byWaqas Read More Security Technology What is the tokenization process and why it is so important? A large number of e-commerce payment platforms use effective payment gateway tools and effectively integrate them with an… byOwais Sultan Cyber Crime Security IT Security firm Qualys extorted by Clop gang after data breach Qualys has confirmed that the Clop ransomware gang is behind the cyber attack that exploited Accellion exploit. byWaqas
Indicators of Compromise
- cve — CVE-2026-2005
- cve — CVE-2026-2006
- cve — CVE-2026-32710