EUVD-2026-29083
GHSA-hp84-p2gq-6fvr
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 pypi packages depend on pgadmin4 (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 9.15.
DescriptionNVD
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.
Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.
This issue affects pgAdmin 4: before 9.15.
AnalysisAI
SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all pgAdmin 4 instances and document current versions and user permission assignments, particularly those with tools_maintenance role. Within 7 days: immediately upgrade all pgAdmin 4 deployments to version 9.15 or later per vendor advisory. …
Sign in for detailed remediation steps.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today