CVE-2026-12045
published 2026-06-19CVE-2026-12045: Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary…
PriorityP356critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.51%
39.4th percentile
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.
The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.
Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM.
Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.
This issue affects pgAdmin 4: from 9.13 before 9.16.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | >= 9.13 < 9.16 | 9.16 |
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant
vendor_redhat·2026-06-18·CVSS 9.0
CVE-2026-12045 [HIGH] CWE-89 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant
pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant
A flaw was found in the pgAdmin 4 AI Assistant. An attacker with the ability to influence database content that the assistant reads can exploit a transaction bypass vulnerability through prompt injection. This allows the attacker to execute arbitrary SQL queries with the privileges of the pgAdmin user's database role. If the pgAdmin user has superuser privileges, this can lead to remote code execution on the database server.
Statement: This Important flaw in the pgAdmin 4 AI Assistant allows an attacker to bypass read-only transaction protections through prompt injection. By influencing database content that the assistant reads, an attacker can execute arbitrary SQL queries with the privileges of the pgAdmin
GHSA
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin us
ghsa_unreviewed·2026-06-19
CVE-2026-12045 [CRITICAL] CWE-77 Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin us
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.
The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.
Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may ins
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12045 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant
bugzilla·2026-06-19
CVE-2026-12045 [HIGH] CVE-2026-12045 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant
CVE-2026-12045 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.
The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.
Delivery is
Bugzilla
CVE-2026-12045 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant [fedora-all]
bugzilla·2026-06-19
CVE-2026-12045 [HIGH] CVE-2026-12045 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant [fedora-all]
CVE-2026-12045 pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-c248414214 (pgadmin4-9.16-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c248414214
---
FEDORA-2026-5938be3b09 (pgadmin4-9.16-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-5938be3b09
---
FEDORA-2026-c248414214 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the foll
2026-06-19
Published