Skip to main content

pgAdmin 4 EUVDEUVD-2026-29084

| CVE-2026-7816 HIGH
SQL Injection (CWE-89)
2026-05-11 PostgreSQL GHSA-j74f-g7vx-fh4x
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 11, 2026 - 17:17 EUVD
Re-analysis Queued
May 11, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 16:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
May 11, 2026 - 15:46 vuln.today
CVE Published
May 11, 2026 - 14:35 nvd
HIGH 8.8

DescriptionCVE.org

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

Authenticated remote code execution in pgAdmin 4 versions before 9.15 allows low-privilege users to execute arbitrary OS commands on the pgAdmin server via unsanitized input in the Import/Export query export feature. Attackers inject malicious payloads into psql \copy metacommand templates to break out of the query context and invoke PROGRAM directives or write arbitrary files. No public exploit code identified at time of analysis, but exploitation requires only low-privilege authenticated access with no user interaction (CVSS AV:N/AC:L/PR:L/UI:N). EPSS data not provided; KEV status not confirmed.

Technical ContextAI

pgAdmin 4 is a web-based administration and development platform for PostgreSQL databases. The vulnerability exists in the Import/Export query export functionality where user-supplied input fields (query text, format, on_error, log_verbosity) are interpolated directly into psql \copy metacommand templates without sanitization or validation. The psql \copy metacommand supports TO PROGRAM clauses that execute arbitrary OS commands and TO FILE clauses for file writes. By injecting payloads like ") TO PROGRAM 'malicious_cmd'" or ") TO '/arbitrary/path'", authenticated users can escape the intended \copy (...) parenthetical context and achieve command execution on the pgAdmin server host or write files to server-writable paths. This is a classic OS command injection (CWE-78) where application-layer input validation failures enable shell metacharacter injection. The affected CPE cpe:2.3:a:pgadmin.org:pgadmin_4:*:*:*:*:*:*:*:* confirms all versions prior to 9.15 are vulnerable. The fix implements a parens-balance parser modeled on PostgreSQL's strtokx tokenizer to safely parse \copy syntax, applies allow-lists to format/on_error/log_verbosity fields, rejects null bytes in query strings, and adds stricter type checking and authorization gates.

RemediationAI

Upgrade to pgAdmin 4 version 9.15 or later immediately, which implements comprehensive input validation including parens-balance parsing, field allow-listing, null-byte rejection, and enhanced type/authorization checks per the fix description. Download the patched release from pgadmin.org official channels and follow standard pgAdmin upgrade procedures for your deployment method (standalone, Docker, or package manager). If immediate patching is infeasible, implement the following compensating controls with noted limitations: (1) Restrict pgAdmin access to trusted users only via application-layer authentication/authorization and network segmentation (firewall rules limiting access to admin jump hosts or VPN-only), understanding this reduces but does not eliminate insider threat risk. (2) Disable or restrict the Import/Export feature entirely via pgAdmin configuration or role-based permissions if your operational workflow permits, noting this breaks legitimate data export functionality. (3) Deploy pgAdmin in an isolated container or VM with minimal privileges and no network/filesystem access to sensitive resources, using AppArmor/SELinux policies to restrict child process execution, though this adds operational complexity and may still allow container escape or data exfiltration. (4) Monitor pgAdmin server logs and system process execution (auditd, Sysmon) for unexpected psql child processes or anomalous TO PROGRAM/TO FILE patterns, accepting that skilled attackers may evade logging. All compensating controls are inferior to patching and should be considered temporary risk reduction only. Vendor advisory and patch details: https://github.com/pgadmin-org/pgadmin4/issues/9899.

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2024-2044 CRITICAL POC
9.9 Mar 07

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling

CVE-2024-3116 CRITICAL POC
9.8 Apr 04

pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. Rated cr

CVE-2022-4223 HIGH POC
8.8 Dec 13

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external Post

CVE-2024-9014 MEDIUM POC
6.5 Sep 23

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. Rated medium severity (CVS

CVE-2026-12046 CRITICAL
9.5 Jun 18

Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.1

CVE-2026-12045 CRITICAL
9.4 Jun 18

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content

CVE-2026-7813 CRITICAL
9.4 May 11

Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users'

CVE-2024-4216 MEDIUM POC
5.4 May 02

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. Rated medium severity (CVS

CVE-2026-12048 CRITICAL
9.3 Jun 18

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL

CVE-2025-2946 CRITICAL
9.1 Apr 03

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). Rated critical severity (CVSS 9.1

CVE-2026-12044 HIGH
8.7 Jun 18

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inj

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

EUVD-2026-29084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy