CVE-2026-7815: Vulnerability in pgadmin.org pgAdmin 4
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.
AI Analysis
Technical Summary
The vulnerability in pgAdmin 4 Maintenance Tool involves four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) that are concatenated directly into VACUUM/ANALYZE/REINDEX commands passed to psql --command. An authenticated user with tools_maintenance permission can inject SQL to break out of the intended syntax, leading to arbitrary SQL execution on the PostgreSQL server. This can be further leveraged to execute operating system commands on the database host using COPY ... TO PROGRAM. The fix implemented in pgAdmin 4 version 9.15 introduces server-side allow-listing for these fields and changes reindex_tablespace quoting to use the qtIdent filter, mitigating injection risks.
Potential Impact
Successful exploitation allows an authenticated user with limited permissions to execute arbitrary SQL commands on the PostgreSQL server, compromising confidentiality, integrity, and availability of the database. Additionally, it enables escalation to operating system command execution on the database host, posing a critical risk to the underlying system security.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has indicated that the fix is included in pgAdmin 4 version 9.15, which introduces server-side allow-listing and safer quoting to prevent injection. Until patched, restrict access to users with tools_maintenance permission and monitor for suspicious activity related to maintenance commands.
CVE-2026-7815: Vulnerability in pgadmin.org pgAdmin 4
Description
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in pgAdmin 4 Maintenance Tool involves four JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) that are concatenated directly into VACUUM/ANALYZE/REINDEX commands passed to psql --command. An authenticated user with tools_maintenance permission can inject SQL to break out of the intended syntax, leading to arbitrary SQL execution on the PostgreSQL server. This can be further leveraged to execute operating system commands on the database host using COPY ... TO PROGRAM. The fix implemented in pgAdmin 4 version 9.15 introduces server-side allow-listing for these fields and changes reindex_tablespace quoting to use the qtIdent filter, mitigating injection risks.
Potential Impact
Successful exploitation allows an authenticated user with limited permissions to execute arbitrary SQL commands on the PostgreSQL server, compromising confidentiality, integrity, and availability of the database. Additionally, it enables escalation to operating system command execution on the database host, posing a critical risk to the underlying system security.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has indicated that the fix is included in pgAdmin 4 version 9.15, which introduces server-side allow-listing and safer quoting to prevent injection. Until patched, restrict access to users with tools_maintenance permission and monitor for suspicious activity related to maintenance commands.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- PostgreSQL
- Date Reserved
- 2026-05-04T21:26:57.386Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a01f792cbff5d86102f20fa
Added to database: 5/11/2026, 3:36:50 PM
Last enriched: 5/11/2026, 3:52:04 PM
Last updated: 5/12/2026, 3:50:30 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.