CVE-2026-12045
Received Received - Intake
Read-only Transaction Bypass in pgAdmin 4 AI Assistant

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: PostgreSQL

Description
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role. The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect. Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM. Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects. This issue affects pgAdmin 4: from 9.13 before 9.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-12045
EUVD
EUVD-2026-37965
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pgadmin pgadmin From 9.13 (inc) to 9.16 (exc)
pgadmin pgadmin 9.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pgAdmin 4 AI Assistant's execute_sql_query tool, which runs SQL queries generated by a large language model (LLM) inside a read-only transaction wrapper to prevent data modification.

However, the LLM-supplied query was not properly restricted to a single read-only statement. An attacker who can inject content into any database object the AI Assistant reads can craft a multi-statement SQL payload starting with transaction-control commands like COMMIT or ROLLBACK. This payload terminates the read-only transaction and executes subsequent statements in autocommit mode, allowing unauthorized data modification.

If the pgAdmin user's database role has elevated privileges (such as superuser or pg_execute_server_program), the attacker can escalate this to remote code execution on the database server via the COPY ... TO PROGRAM command.

The vulnerability is fixed by validating the LLM-supplied query upfront to ensure it contains exactly one allowed read-only statement (SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE) and rejects all others before any database interaction.

Impact Analysis

This vulnerability can allow an attacker with the ability to influence database content read by the AI Assistant to execute arbitrary SQL commands with the privileges of the pgAdmin user's database role.

With ordinary write privileges, the attacker can perform unauthorized data modifications, potentially corrupting or altering sensitive data.

If the pgAdmin user's role has superuser privileges or the pg_execute_server_program role, the attacker can escalate the attack to remote code execution on the database server host, which could lead to full system compromise.

Mitigation Strategies

The vulnerability in pgAdmin 4's AI Assistant allows multi-statement or non-read-only SQL queries to bypass transaction restrictions, potentially enabling unauthorized data modification or remote code execution.

Immediate mitigation involves updating pgAdmin 4 to version 9.16 or later, where a fix has been implemented.

  • The fix validates LLM-supplied queries to ensure they parse to exactly one non-empty, non-comment statement.
  • Only queries beginning with allowlisted keywords (SELECT, WITH, EXPLAIN, SHOW, VALUES, TABLE) are permitted.
  • All other statements, including transaction-control verbs, DML, DDL, and other disallowed keywords, are rejected before any database work happens.

Until the update is applied, restrict write privileges on objects that the AI Assistant may inspect to reduce the risk of prompt injection.

Compliance Impact

This vulnerability allows an attacker with write access to the database content that the pgAdmin 4 AI Assistant reads to execute arbitrary SQL commands with the privileges of the pgAdmin user's database role. This can lead to unauthorized data modification or, in cases where the pgAdmin user has elevated privileges, remote code execution on the database server host.

Such unauthorized data modification or potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and access. The ability to bypass read-only transaction restrictions and modify data without proper authorization increases the risk of violating these regulatory requirements.

Detection Guidance

This vulnerability involves the pgAdmin 4 AI Assistant executing multi-statement or non-read-only SQL queries that bypass transaction restrictions. Detection would focus on identifying unusual or unauthorized SQL queries that include transaction-control statements such as COMMIT, END, ROLLBACK, or ABORT within the AI Assistant's activity.

Since the vulnerability is triggered by prompt injection causing the AI Assistant to run multi-statement payloads, monitoring logs for such SQL statements or unexpected transaction control commands executed by the pgAdmin user role could help detect exploitation attempts.

Suggested commands to detect suspicious activity might include querying PostgreSQL logs for transaction-control statements issued by the pgAdmin user, for example:

  • grep -iE 'COMMIT|END|ROLLBACK|ABORT' /var/log/postgresql/postgresql.log | grep pgadmin
  • SELECT * FROM pg_stat_activity WHERE usename = 'pgadmin' AND query ~* '(COMMIT|END|ROLLBACK|ABORT)';

Additionally, monitoring for unexpected data modifications or unusual COPY ... TO PROGRAM commands executed by the pgAdmin user could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12045. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart