CVE-2026-12050
Received Received - Intake
SQL Injection in pgAdmin 4

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: PostgreSQL

Description
SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field was interpolated directly into the SQL string with str.format() instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected PostgreSQL session to inject additional statements through that endpoint. The injected SQL executes under the database role the user is already authenticated as. The defect does not cross a privilege boundary -- the user already has direct SQL access to that role through the Query Tool -- so the attacker gains no capability beyond what their database role already grants them. The marginal impact accounts for the fact that the injection path is not the documented SQL-execution interface, so a deployment that gates the Query Tool at the application layer could see SQL executed through a path it did not anticipate. Fix passes the restore point name as a bound parameter and schema-qualifies the function call as pg_catalog.pg_create_restore_point so a non-default search_path on the connection cannot redirect the call to a shadow definition. A regression test asserts the value arrives as a bound parameter and not spliced into the SQL string. This issue affects pgAdmin 4: from 1.0 before 9.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-12050
EUVD
EUVD-2026-37964
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgadmin pgadmin to 9.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection in pgAdmin 4's named restore point endpoint. Specifically, the user-supplied 'value' field was directly inserted into a SQL query string using string formatting instead of being passed as a bound parameter. This allowed an authenticated pgAdmin user with a connected PostgreSQL session to inject additional SQL statements through that endpoint.

The injected SQL executes with the privileges of the database role the user is already authenticated as. The vulnerability does not allow privilege escalation because the user already has direct SQL access through the Query Tool. However, it allows SQL execution through an unexpected path, potentially bypassing application-layer controls.

Impact Analysis

An attacker who is an authenticated pgAdmin user can inject and execute arbitrary SQL commands within the permissions of their existing database role. This could lead to unintended SQL operations being performed through the restore point endpoint.

Although the vulnerability does not allow privilege escalation, it bypasses application-layer controls that might restrict SQL execution to certain interfaces, potentially increasing the attack surface.

Mitigation Strategies

To mitigate this vulnerability, you should update pgAdmin 4 to version 9.16 or later, where the fix has been implemented.

The fix involves parameterizing the SQL query in the named restore point endpoint to prevent SQL injection by passing user input as a bound parameter instead of interpolating it directly into the SQL string.

Until the update is applied, consider restricting access to the restore point endpoint or limiting authenticated users' ability to execute arbitrary SQL through this path.

Compliance Impact

This vulnerability allows an authenticated pgAdmin user to perform SQL injection through the named restore point endpoint, executing SQL statements under their existing database role. Since the attacker does not gain privileges beyond their current role and the vulnerability does not cross privilege boundaries, the direct impact on compliance with standards like GDPR or HIPAA is limited.

However, the vulnerability could allow bypassing application-layer controls that restrict SQL execution paths, potentially leading to unauthorized data access or manipulation within the scope of the user's permissions. Such unauthorized actions, if they result in data breaches or improper data handling, could negatively affect compliance with data protection regulations.

Therefore, while the vulnerability itself does not inherently escalate privileges, it may increase risk exposure by circumventing expected access controls, which organizations must consider when assessing compliance with standards requiring strict data access controls and auditability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart