CVE-2026-7815
Received Received - Intake
SQL Injection in pgAdmin 4 Maintenance Tool

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: PostgreSQL

Description
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2026-7815
EUVD
EUVD-2026-29083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgadmin pgadmin_4 From 7.6 (inc) to 9.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-7815 is a SQL injection vulnerability in the pgAdmin 4 Maintenance Tool. It occurs because four user-supplied JSON fieldsβ€”buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespaceβ€”are directly concatenated into VACUUM, ANALYZE, or REINDEX SQL commands executed via psql without proper sanitization.

An authenticated user with the tools_maintenance permission can exploit this flaw to inject arbitrary SQL commands. This injection can escalate to executing operating-system commands on the database host by leveraging the COPY ... TO PROGRAM feature.

The vulnerability affects pgAdmin 4 versions from 7.6 up to but not including 9.15. The fix introduced server-side allow-listing of the affected fields and improved handling of the reindex_tablespace field to prevent injection.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows an authenticated user with limited permissions to execute arbitrary SQL commands on the PostgreSQL server.

Exploiting this flaw could lead to unauthorized data access, data modification, or deletion within the database.

Furthermore, the injected SQL can escalate to operating-system command execution on the database host, potentially compromising the entire server environment.

Such an attack could result in data breaches, service disruption, or full system compromise.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade pgAdmin 4 to version 9.15 or later, where the issue is fixed.

The fix includes server-side allow-listing of the four vulnerable JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) and changes to how reindex_tablespace is handled to prevent SQL injection.

Additionally, restrict the tools_maintenance permission to trusted users only, as exploitation requires authenticated access with this permission.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart