Cybersecurity researchers at Wiz’s ZeroDay.Cloud hacking event in London have successfully exploited two significant vulnerabilities in PostgreSQL, a database engine integral to numerous enterprise applications. Although the event occurred in December 2025, details surrounding these vulnerabilities were disclosed on May 4, 2026.
What is the ZeroDay.Cloud Event?
ZeroDay.Cloud is an innovative security research initiative spearheaded by Google-owned Wiz, Inc. This competition focuses on cloud and AI hacking, encouraging researchers to uncover zero-day vulnerabilities within widely utilized open-source software. The event targets a variety of systems, including PostgreSQL, Redis, Kubernetes, the Linux kernel, and various web servers.
The inaugural live competition was announced on September 30, 2025, and took place on December 10–11, 2025, in London, coinciding with Black Hat Europe.
PostgreSQL Vulnerabilities
The vulnerabilities identified during the event are tracked as CVE-2026-2005 and CVE-2026-2006. Both date back to 2005 and were found within the pgcrypto extension, a widely used tool for encryption tasks that is generally considered secure.
Wiz’s analysis revealed that PostgreSQL is present in 80% of the cloud environments they scanned, with 45% of those instances exposed to the public internet. This exposure transforms a database login into a potential gateway for unauthorized access.
In a detailed blog post shared by Wiz, the CVE-2026-2005 vulnerability is explained as affecting a function called pgp_parse_pubenc_sesskey during public-key decryption in pgcrypto. Attackers can exploit this by sending a specially crafted PGP message that causes the code to copy excessive bytes into a fixed-size buffer, resulting in a spillover into heap memory.
This vulnerability allows a user with basic create privileges to load the extension and execute a series of actions that can lead to privilege escalation, enabling them to run commands as the database owner.
The second vulnerability, CVE-2026-2006, presents a similar issue in symmetric decryption via pgp_sym_decrypt. Due to inadequate checks, malformed UTF-8 data can bypass PostgreSQL’s string handlers, such as pg_mblen and pg_utf_mblen, leading to out-of-bounds reads or writes. This flaw can be leveraged by attackers to corrupt memory and seize control over execution, including altering settings like search_path to initiate system calls.
It is noteworthy that the CVE-2026-2005 vulnerability was identified by Team Xint Code, while Team Bugz Bunnies discovered CVE-2026-2006. Additionally, Team Xint Code also uncovered a third vulnerability in MariaDB, designated as CVE-2026-32710. This heap buffer overflow in the JSON_SCHEMA_VALID function allows any logged-in user to execute a single SQL query that could potentially run arbitrary code or crash the server.
Patches and Mitigation
In response to these findings, PostgreSQL has released patches for both vulnerabilities across its main branches, from versions 14.21 to 18.2, with updates made in early February and official releases by the 12th. Similarly, MariaDB addressed the issue in versions 11.4.10 and 11.8.6 on February 4, 2026.
Database administrators are urged to apply these updates promptly, restrict the creation of extensions, and conduct thorough audits of logs for any suspicious activity related to pgp or JSON operations.
