Skip to main content

pgAdmin 4 CVE-2026-12045

| EUVD-2026-37965 CRITICAL
SQL Injection (CWE-89)
2026-06-18 PostgreSQL GHSA-95q2-vx3p-f723
PostgreSQL SQLi RCE Pgadmin 4
9.4
CVSS 4.0 · Vendor: PostgreSQL
Share

Severity by source

Vendor (PostgreSQL) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

Network-reachable via stored prompt injection but requires attacker DB write access (PR:L), an operator invoking the AI Assistant (UI:R), and LLM cooperation (AC:H); scope changes when superuser role enables OS RCE.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (PostgreSQL).

CVSS VectorVendor: PostgreSQL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 19, 2026 - 00:29 vuln.today
Analysis Generated
Jun 19, 2026 - 00:29 vuln.today
CVSS changed
Jun 19, 2026 - 00:22 NVD
9.0 (CRITICAL) 9.4 (CRITICAL)
CVE Published
Jun 18, 2026 - 23:37 cve.org
CRITICAL 9.4

DescriptionCVE.org

Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.

The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.

Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM.

Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.

This issue affects pgAdmin 4: from 9.13 before 9.16.

Articles & Coverage 1

News 3 New PostgreSQL Vulnerabilities - 2 Critical, 1 High Severity Jun 19, 2026

AnalysisAI

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content into database objects the AI Assistant inspects to bypass the read-only transaction wrapper and execute arbitrary SQL with the pgAdmin user's database role. When that role is a PostgreSQL superuser or holds pg_execute_server_program, the chain escalates to remote code execution on the database host via COPY ... …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify pgAdmin instance with AI Assistant enabled
Delivery
Plant prompt-injection payload in writable database object
Exploit
Operator invokes AI Assistant on poisoned data
Install
LLM emits multi-statement SQL with leading COMMIT
C2
READ ONLY transaction terminated, autocommit engaged
Execute
Malicious DML or COPY TO PROGRAM executes under operator role
Impact
Data tampering or RCE on database host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) the pgAdmin 4 AI Assistant feature to be enabled and configured with an LLM backend on a vulnerable version (9.13 ≤ v < 9.16); (2) attacker-controlled content reachable by the assistant - any row value, column value, object comment, or other database-stored text that the operator asks the assistant to inspect; (3) at least ordinary write privileges on some object in the target database (to plant the prompt-injection payload), reflected as PR:L in the CVSS vector; and (4) operator interaction (UI:P) where a pgAdmin user actually invokes the AI Assistant against the poisoned data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, base 9.4) reflects network-reachable, low-complexity exploitation requiring only a low-privileged database account plus passive user interaction (the pgAdmin operator running the AI Assistant). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with ordinary INSERT/UPDATE rights on any table that a pgAdmin operator might inspect with the AI Assistant plants a row whose text column contains a prompt-injection payload instructing the LLM to call execute_sql_query with 'COMMIT; COPY (SELECT 1) TO PROGRAM ''id > /tmp/id.txt'';' or a DML statement. When the operator next asks the AI Assistant to explore that table, the LLM emits the multi-statement query; the leading COMMIT closes the READ ONLY wrapper and the subsequent statements execute under the operator's role, yielding unauthorized writes or, if the role is a superuser, shell command execution on the database host. …
Remediation Upstream fix available (commit bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b); per the advisory the issue is resolved in pgAdmin 4 version 9.16, so upgrading from 9.13-9.15 to 9.16 or later is the primary remediation (see https://github.com/pgadmin-org/pgadmin4/commit/bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b and https://github.com/pgadmin-org/pgadmin4/issues/10022). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running pgAdmin 4 versions 9.13-9.15 and assess network exposure; implement access restrictions if immediate patching is not feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54310 MEDIUM
9.9 Jun 16

SQL injection in n8n's legacy Postgres v1 and TimescaleDB workflow nodes allows an authenticated workflow editor to inje
CVE-2026-48114 CRITICAL
9.8 Jun 15

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and exec
CVE-2026-12048 CRITICAL
9.3 Jun 18

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL

CVE-2026-12044 HIGH
8.7 Jun 18

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inj
CVE-2026-54008 HIGH
8.5 Jun 17

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary

Share

CVE-2026-12045 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy