Which versions of pgAdmin 4 are affected by EUVD-2026-29083?

pgAdmin 4 versions prior to 9.15 contain a SQL injection vulnerability in the Maintenance Tool that allows authenticated users with maintenance permissions to execute arbitrary operating system…. A patch is available.

How to fix or mitigate EUVD-2026-29083?

Within 24 hours: inventory all pgAdmin 4 instances and document current versions and user permission assignments, particularly those with tools_maintenance role. Within 7 days: immediately upgrade all pgAdmin 4 deployments to version 9.15 or later per vendor advisory. Within 30 days: audit access logs for tools_maintenance user activity to identify any unauthorized VACUUM/ANALYZE/REINDEX command execution; review and restrict tools_maintenance permission assignments to only essential administrative accounts.

pgAdmin 4 EUVD-2026-29083

Q: What is the CVSS score of EUVD-2026-29083?

EUVD-2026-29083 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-7815 HIGH

SQL Injection (CWE-89)

2026-05-11 PostgreSQL

GHSA-hp84-p2gq-6fvr

SQLi PostgreSQL

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 11, 2026 - 17:17 EUVD

Re-analysis Queued

May 11, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

May 11, 2026 - 16:22 NVD

8.8 (HIGH) 8.7 (HIGH)

Analysis Generated

May 11, 2026 - 15:45 vuln.today

CVE Published

May 11, 2026 - 14:35 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on pgadmin4 (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 9.15.

DescriptionNVD

SQL injection vulnerability in pgAdmin 4 Maintenance Tool.

Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.

Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. …

RemediationAI

Within 24 hours: inventory all pgAdmin 4 instances and document current versions and user permission assignments, particularly those with tools_maintenance role. Within 7 days: immediately upgrade all pgAdmin 4 deployments to version 9.15 or later per vendor advisory. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

EUVD-2026-29083 vulnerability details – vuln.today

Back

pgAdmin 4 EUVD-2026-29083

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Vendor StatusVendor

Share

pgAdmin 4 EUVD-2026-29083

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code