diff --git a/README.md b/README.md
index b509bdddd7..b1e519c170 100644
--- a/README.md
+++ b/README.md
@@ -183,8 +183,8 @@ This is the same PostgreSQL build that powers [Supabase](https://supabase.io), b
 
 
 ## Primary Features
-- ✅ Postgres [postgresql-15.14](https://www.postgresql.org/docs/15/index.html)
-- ✅ Postgres [postgresql-17.6](https://www.postgresql.org/docs/17/index.html)
+- ✅ Postgres [postgresql-15.18](https://www.postgresql.org/docs/15/index.html)
+- ✅ Postgres [postgresql-17.10](https://www.postgresql.org/docs/17/index.html)
 - ✅ Postgres [orioledb-postgresql-17_11](https://github.com/orioledb/orioledb)
 - ✅ Ubuntu 24.04 (Noble Numbat).
 - ✅ [wal_level](https://www.postgresql.org/docs/current/runtime-config-wal.html) = logical and [max_replication_slots](https://www.postgresql.org/docs/current/runtime-config-replication.html) = 5. Ready for replication.
diff --git a/ansible/vars.yml b/ansible/vars.yml
index 56ddc53884..2b0734c388 100644
--- a/ansible/vars.yml
+++ b/ansible/vars.yml
@@ -11,8 +11,8 @@ postgres_major:
 # Full version strings for each major version
 postgres_release:
   postgresorioledb-17: "17.6.0.078-orioledb"
-  postgres17: "17.6.1.121"
-  postgres15: "15.14.1.121"
+  postgres17: "17.10.1.001"
+  postgres15: "15.18.1.001"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.25.1
diff --git a/migrations/schema-15.sql b/migrations/schema-15.sql
index 0ee211e3c9..76b70f1922 100644
--- a/migrations/schema-15.sql
+++ b/migrations/schema-15.sql
@@ -4,8 +4,8 @@
 
 \restrict SupabaseTestDumpKey123
 
--- Dumped from database version 15.14
--- Dumped by pg_dump version 15.14
+-- Dumped from database version 15.18
+-- Dumped by pg_dump version 15.18
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
diff --git a/migrations/schema-17.sql b/migrations/schema-17.sql
index 30f476e50c..18307c35b5 100644
--- a/migrations/schema-17.sql
+++ b/migrations/schema-17.sql
@@ -4,8 +4,8 @@
 
 \restrict SupabaseTestDumpKey123
 
--- Dumped from database version 17.6
--- Dumped by pg_dump version 17.6
+-- Dumped from database version 17.10
+-- Dumped by pg_dump version 17.10
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
diff --git a/nix/config.nix b/nix/config.nix
index e61683674c..a1edf2fbbd 100644
--- a/nix/config.nix
+++ b/nix/config.nix
@@ -46,12 +46,12 @@ in
       supportedPostgresVersions = {
         postgres = {
           "15" = {
-            version = "15.14";
-            hash = "sha256-Bt110wXNOHDuYrOTLmYcYkVD6vmuK6N83sCk+O3QUdI=";
+            version = "15.18";
+            hash = "sha256-Ed8N+X/j6kupp5H6rznO4dL+Vx54iFtbVdhRfSfDI7Q=";
           };
           "17" = {
-            version = "17.6";
-            hash = "sha256-4GMKNgCuonURcVVjJZ7CERzV9DU6SwQOC+gn+UzXqLA=";
+            version = "17.10";
+            hash = "sha256-B4oDUW3NvbcF/sr0Feo9E6lWxYnkbwn+1ooG+wBZjJA=";
           };
         };
         orioledb = {
diff --git a/nix/tests/expected/operator_breaking_change.out b/nix/tests/expected/operator_breaking_change.out
new file mode 100644
index 0000000000..ffce8babd3
--- /dev/null
+++ b/nix/tests/expected/operator_breaking_change.out
@@ -0,0 +1,50 @@
+-- Pin CVE-2026-2004 behaviour: attaching a non-built-in selectivity estimator
+-- to an operator requires superuser. Verified against both RESTRICT and JOIN.
+--
+-- Upstream commits: b764b26f (PG 15.16), bbf5bcf5 (PG 17.8). The check fires in
+-- both ValidateRestrictionEstimator() and ValidateJoinEstimator() in
+-- src/backend/commands/operatorcmds.c.
+--
+-- Refs: PSQL-1110, PSQL-1234.
+BEGIN;
+-- Build a non-built-in restriction estimator and a non-built-in join estimator.
+CREATE FUNCTION public.fake_restrict_sel(internal, oid, internal, integer)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+CREATE FUNCTION public.fake_join_sel(internal, oid, internal, smallint, internal)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+-- Trivial procedure for the operator definition.
+CREATE FUNCTION public.fake_op_proc(_int4, _int4)
+  RETURNS bool LANGUAGE sql IMMUTABLE
+  AS $$ SELECT true $$;
+-- Switch to a non-superuser role.
+SET ROLE postgres;
+-- 1) RESTRICT = non-built-in should be rejected.
+SAVEPOINT before_restrict;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = public.fake_restrict_sel
+);
+ERROR:  must be superuser to specify a non-built-in restriction estimator function
+ROLLBACK TO SAVEPOINT before_restrict;
+-- 2) JOIN = non-built-in should be rejected.
+SAVEPOINT before_join;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  JOIN = public.fake_join_sel
+);
+ERROR:  must be superuser to specify a non-built-in join estimator function
+ROLLBACK TO SAVEPOINT before_join;
+-- 3) Sanity check: built-in selectivity estimators still work for non-superusers.
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = eqsel,
+  JOIN = eqjoinsel
+);
+DROP OPERATOR public.@@@ (_int4, _int4);
+RESET ROLE;
+ROLLBACK;
diff --git a/nix/tests/sql/operator_breaking_change.sql b/nix/tests/sql/operator_breaking_change.sql
new file mode 100644
index 0000000000..cf60336279
--- /dev/null
+++ b/nix/tests/sql/operator_breaking_change.sql
@@ -0,0 +1,58 @@
+-- Pin CVE-2026-2004 behaviour: attaching a non-built-in selectivity estimator
+-- to an operator requires superuser. Verified against both RESTRICT and JOIN.
+--
+-- Upstream commits: b764b26f (PG 15.16), bbf5bcf5 (PG 17.8). The check fires in
+-- both ValidateRestrictionEstimator() and ValidateJoinEstimator() in
+-- src/backend/commands/operatorcmds.c.
+--
+-- Refs: PSQL-1110, PSQL-1234.
+
+BEGIN;
+
+-- Build a non-built-in restriction estimator and a non-built-in join estimator.
+CREATE FUNCTION public.fake_restrict_sel(internal, oid, internal, integer)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+
+CREATE FUNCTION public.fake_join_sel(internal, oid, internal, smallint, internal)
+  RETURNS float8 LANGUAGE sql IMMUTABLE STRICT PARALLEL SAFE
+  AS $$ SELECT 0.5::float8 $$;
+
+-- Trivial procedure for the operator definition.
+CREATE FUNCTION public.fake_op_proc(_int4, _int4)
+  RETURNS bool LANGUAGE sql IMMUTABLE
+  AS $$ SELECT true $$;
+
+-- Switch to a non-superuser role.
+SET ROLE postgres;
+
+-- 1) RESTRICT = non-built-in should be rejected.
+SAVEPOINT before_restrict;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = public.fake_restrict_sel
+);
+ROLLBACK TO SAVEPOINT before_restrict;
+
+-- 2) JOIN = non-built-in should be rejected.
+SAVEPOINT before_join;
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  JOIN = public.fake_join_sel
+);
+ROLLBACK TO SAVEPOINT before_join;
+
+-- 3) Sanity check: built-in selectivity estimators still work for non-superusers.
+CREATE OPERATOR public.@@@ (
+  LEFTARG = _int4, RIGHTARG = _int4,
+  PROCEDURE = public.fake_op_proc,
+  RESTRICT = eqsel,
+  JOIN = eqjoinsel
+);
+
+DROP OPERATOR public.@@@ (_int4, _int4);
+
+RESET ROLE;
+ROLLBACK;