Upgrade embedded PostgreSQL to 14.21 to address CVE-2026-2003

## Summary

Steampipe v2.4.0 embeds PostgreSQL 14.19.0, which is vulnerable to [CVE-2026-2003](https://www.postgresql.org/support/security/CVE-2026-2003/). Security scanners are flagging this. We need to upgrade to PostgreSQL 14.21 which contains the fix.

## Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE** | [CVE-2026-2003](https://www.postgresql.org/support/security/CVE-2026-2003/) |
| **Description** | Improper validation of the `oidvector` type in PostgreSQL allows a database user to disclose a few bytes of server memory |
| **CVSS Score** | 4.3 (Medium) — `AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` |
| **Affected Versions** | PostgreSQL < 14.21 |
| **Fixed In** | PostgreSQL 14.21 (published Feb 12, 2026) |
| **Reporter** | Altan Birler |

## Current State

Steampipe v2.4.0 bundles PostgreSQL **14.19.0** (see `pkg/constants/db.go`):

```go
DatabaseVersion = "14.19.0"
PostgresImageRef = "ghcr.io/turbot/steampipe/db:14.19.0"
```


Field	Value
CVE	CVE-2026-2003
Description	Improper validation of the `oidvector` type in PostgreSQL allows a database user to disclose a few bytes of server memory
CVSS Score	4.3 (Medium) — `AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`
Affected Versions	PostgreSQL < 14.21
Fixed In	PostgreSQL 14.21 (published Feb 12, 2026)
Reporter	Altan Birler

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade embedded PostgreSQL to 14.21 to address CVE-2026-2003 #4961

Summary

Vulnerability Details

Current State

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Upgrade embedded PostgreSQL to 14.21 to address CVE-2026-2003 #4961

Description

Summary

Vulnerability Details

Current State

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions