AI Tools Expose PostgreSQL and MariaDB Flaws Hidden for Decades
In a dramatic example of how AI is advancing cybersecurity research, AI-assisted analysis tools helped uncover new vulnerabilities involving PostgreSQL and MariaDB, including flaws that had remained hidden for more than 20 years.
Security researchers have disclosed multiple high- and critical-severity long-dormant flaws affecting the two widely used open-source database platforms. Several of the vulnerabilities could enable remote code execution, allowing attackers to run malicious code directly on database servers.
The findings emerged during Wiz’s zeroday.cloud hacking event, a cloud and AI security hacking competition focused on finding unknown vulnerabilities. Researchers used an AI-powered security analysis platform called Xint Code to inspect database software for memory corruption and validation errors.
Among the most serious discoveries was a heap-based buffer overflow vulnerability in PostgreSQL’s pgcrypto extension, tracked as CVE-2026-2005. Researchers said the flaw can be triggered using specially crafted input that creates a size mismatch and causes out-of-bounds writes in heap memory.
Because pgcrypto is commonly used for encryption and cryptography inside PostgreSQL environments, the vulnerability becomes especially dangerous when the extension processes user-controlled data. Under those circumstances, attackers may be able to achieve remote code execution on the database server.
The flaw carried a CVSS severity score of 8.8 and affected all supported PostgreSQL releases before patches were issued. Remarkably, researchers said the vulnerable code had existed since pgcrypto was introduced in 2005.
A second PostgreSQL vulnerability uncovered at the same event involved missing validation checks that could permit arbitrary code execution. The flaw, identified as CVE-2026-2006, was discovered by another research team participating in the competition.
Researchers said the vulnerability received a CVSS score approaching 9.0 and was patched alongside CVE-2026-2005 in PostgreSQL versions 18.2, 17.8, 16.12, 15.16 and 14.21.
Database maintainers urged organizations to deploy the fixes quickly because exploit code is now publicly available. Although the patches were released earlier this year, exposure remains widespread. According to Wiz, an analysis of cloud environments running PostgreSQL found that roughly 45% of deployments were directly accessible from the public internet.
The disclosures reveal a big challenge for companies that depend heavily on mature open-source infrastructure. Widely adopted platforms like PostgreSQL often contain millions of lines of legacy code developed over decades, making it difficult for conventional manual auditing processes to identify deeply embedded flaws.
Memory Corruption Issue
MariaDB was also affected by a serious memory corruption issue. Researchers identified a heap buffer overflow vulnerability in the JSON_SCHEMA_VALID() function, tracked as CVE-2026-32710.
The bug stems from insufficient validation during JSON schema parsing operations. According to researchers, an authenticated user could trigger a crash and, under carefully controlled conditions, potentially escalate the attack into remote code execution.
While the MariaDB vulnerability appears more difficult to exploit than the PostgreSQL flaws, researchers warned that the vulnerable code path remains broadly reachable.
Affected MariaDB versions include releases 11.4.1 through 11.4.9 and 11.8.1 through 11.8.5. Patches were released in versions 11.4.10 and 11.8.6.
Security scoring organizations differed somewhat in their severity assessments. GitHub rated the MariaDB vulnerability at 8.5, while NIST assigned the flaw a critical CVSS score of 9.9.
AI-assisted security analysis is becoming highly effective at identifying flaws in aging codebases that traditional methods may miss. Rather than replacing human researchers, tools like Xint Code are helping analysts process enormous software repositories more efficiently and detect problems like subtle memory handling issues and missing validation routines.
