Skip to main content

pgAdmin 4 EUVDEUVD-2026-29083

| CVE-2026-7815 HIGH
SQL Injection (CWE-89)
2026-05-11 PostgreSQL GHSA-hp84-p2gq-6fvr
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 11, 2026 - 17:17 EUVD
Re-analysis Queued
May 11, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 16:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
May 11, 2026 - 15:45 vuln.today
CVE Published
May 11, 2026 - 14:35 nvd
HIGH 8.8

DescriptionCVE.org

SQL injection vulnerability in pgAdmin 4 Maintenance Tool.

Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.

Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

SQL injection in pgAdmin 4 Maintenance Tool allows authenticated users with tools_maintenance permission to execute arbitrary SQL and escalate to operating-system command execution on PostgreSQL database hosts. Four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) are concatenated unsafely into VACUUM/ANALYZE/REINDEX commands passed to psql. Attackers can break out of option syntax, inject SQL statements, and leverage PostgreSQL's COPY ... TO PROGRAM to achieve OS-level code execution. Fixed in version 9.15 via server-side allow-listing and proper input sanitization using qtIdent filter. EPSS data not available; no public exploit identified at time of analysis.

Technical ContextAI

pgAdmin 4 is the web-based administration and development platform for PostgreSQL databases. The Maintenance Tool generates database maintenance commands (VACUUM, ANALYZE, REINDEX) from user-supplied parameters. The vulnerability stems from unsafe string concatenation of four JSON input fields directly into SQL command strings before passing them to the psql command-line client via the --command flag. This classic second-order injection occurs because user-controlled input flows through the web application into dynamically constructed SQL without proper escaping or parameterization. The reindex_tablespace field relied on manual quoting instead of PostgreSQL's qtIdent identifier-quoting function. When these malformed commands reach the PostgreSQL server, attackers can inject arbitrary SQL, including COPY ... TO PROGRAM statements that invoke shell commands on the database host operating system, bridging from SQL injection to remote code execution.

RemediationAI

Upgrade to pgAdmin 4 version 9.15 or later, which implements server-side allow-listing for buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespace fields and replaces manual quoting with the qtIdent filter for identifier sanitization. Download the patched version from https://www.pgadmin.org/download/ or update via your package manager (apt, yum, Homebrew, Docker registry). Verify successful upgrade by checking Help > About shows version 9.15+. If immediate patching is not feasible, implement compensating controls: revoke tools_maintenance permission from all non-administrative users via pgAdmin's role management interface (trade-off: breaks legitimate maintenance workflows for power users); restrict pgAdmin access to trusted administrator workstations via firewall rules or VPN (trade-off: reduces operational flexibility); enable PostgreSQL query logging and monitor for suspicious COPY TO PROGRAM or shell command invocations in logs (trade-off: performance overhead and delayed detection). Network segmentation between pgAdmin servers and database hosts limits lateral movement post-compromise but does not prevent initial SQL injection. Review and minimize use of PostgreSQL superuser privileges for connections initiated from pgAdmin. Full technical details and patch commits are available in the referenced GitHub issue.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

EUVD-2026-29083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy