CVE-2026-7815
Analyzed Analyzed - Analysis Complete
SQL Injection in pgAdmin 4 Maintenance Tool

Publication date: 2026-05-11

Last updated on: 2026-05-26

Assigner: PostgreSQL

Description
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-26
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-19
NVD
CVE-2026-7815
EUVD
EUVD-2026-29083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgadmin pgadmin_4 From 7.6 (inc) to 9.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves SQL injection through four specific JSON fields in pgAdmin 4 Maintenance Tool commands. Detection would involve monitoring or testing for injection attempts in the fields buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespace when VACUUM, ANALYZE, or REINDEX commands are executed.

Since the vulnerability requires an authenticated user with tools_maintenance permission to exploit, detection can include auditing usage of this permission and inspecting logs for unusual or malformed VACUUM/ANALYZE/REINDEX commands that include unexpected SQL syntax or attempts to break out of option syntax.

Specific commands to detect exploitation attempts might include querying PostgreSQL logs for suspicious commands or using SQL queries to check for unusual activity. For example, you could search PostgreSQL logs for commands containing suspicious patterns like 'COPY ... TO PROGRAM' or unexpected SQL keywords within maintenance commands.

  • grep -iE "VACUUM|ANALYZE|REINDEX" /var/log/postgresql/postgresql.log | grep -iE "COPY.*TO PROGRAM|;|--|\"|\'"
  • psql -c "SELECT * FROM pg_stat_activity WHERE query LIKE '%VACUUM%' OR query LIKE '%ANALYZE%' OR query LIKE '%REINDEX%';"
  • Audit users with tools_maintenance permission: psql -c "SELECT rolname FROM pg_roles WHERE rolname IN (SELECT grantee FROM information_schema.role_table_grants WHERE privilege_type='EXECUTE' AND table_name='tools_maintenance');"

Note that no specific detection commands are provided in the available resources, so these suggestions are based on the nature of the vulnerability and typical PostgreSQL monitoring practices.

Executive Summary

CVE-2026-7815 is a SQL injection vulnerability in the pgAdmin 4 Maintenance Tool. It occurs because four user-supplied JSON fieldsβ€”buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespaceβ€”are directly concatenated into VACUUM, ANALYZE, or REINDEX SQL commands executed via psql without proper sanitization.

An authenticated user with the tools_maintenance permission can exploit this flaw to inject arbitrary SQL commands. This injection can escalate to executing operating-system commands on the database host by leveraging the COPY ... TO PROGRAM feature.

The vulnerability affects pgAdmin 4 versions from 7.6 up to but not including 9.15. The fix introduced server-side allow-listing of the affected fields and improved handling of the reindex_tablespace field to prevent injection.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user with limited permissions to execute arbitrary SQL commands on the PostgreSQL server.

Exploiting this flaw could lead to unauthorized data access, data modification, or deletion within the database.

Furthermore, the injected SQL can escalate to operating-system command execution on the database host, potentially compromising the entire server environment.

Such an attack could result in data breaches, service disruption, or full system compromise.

Mitigation Strategies

To mitigate this vulnerability, upgrade pgAdmin 4 to version 9.15 or later, where the issue is fixed.

The fix includes server-side allow-listing of the four vulnerable JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) and changes to how reindex_tablespace is handled to prevent SQL injection.

Additionally, restrict the tools_maintenance permission to trusted users only, as exploitation requires authenticated access with this permission.

Compliance Impact

The provided information does not specify how this SQL injection vulnerability in pgAdmin 4 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7815. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart