CVE-2026-12050
published 2026-06-19CVE-2026-12050: SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field was interpolated…
PriorityP358high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.24%
15.5th percentile
SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field was interpolated directly into the SQL string with str.format() instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected PostgreSQL session to inject additional statements through that endpoint.
The injected SQL executes under the database role the user is already authenticated as. The defect does not cross a privilege boundary -- the user already has direct SQL access to that role through the Query Tool -- so the attacker gains no capability beyond what their database role already grants them. The marginal impact accounts for the fact that the injection path is not the documented SQL-execution interface, so a deployment that gates the Query Tool at the application layer could see SQL executed through a path it did not anticipate.
Fix passes the restore point name as a bound parameter and schema-qualifies the function call as pg_catalog.pg_create_restore_point so a non-default search_path on the connection cannot redirect the call to a shadow definition. A regression test asserts the value arrives as a bound parameter and not spliced into the SQL string.
This issue affects pgAdmin 4: from 1.0 before 9.16.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | >= 1.0 < 9.16 | 9.16 |
| pgadmin | pgadmin_4 | >= 1.0 < 9.16 | 9.16 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}).
ghsa_unreviewed·2026-06-19
CVE-2026-12050 [MEDIUM] CWE-89 SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}).
SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field was interpolated directly into the SQL string with str.format() instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected PostgreSQL session to inject additional statements through that endpoint.
The injected SQL executes under the database role the user is already authenticated as. The defect does not cross a privilege boundary -- the user already has direct SQL access to that role through the Query Tool -- so the attacker gains no capability beyond what their database role already grants them. The marginal impact accounts for the fact that the injection path is not the documented SQL-execution interface, s
Red Hat
pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
vendor_redhat·2026-06-18·CVSS 4.3
CVE-2026-12050 [MEDIUM] CWE-89 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
A flaw was found in pgAdmin 4. An authenticated user with an active PostgreSQL session could exploit a SQL injection vulnerability in the named restore point endpoint. This allows the user to execute arbitrary SQL statements through an unexpected path. While this does not grant additional privileges beyond what the user already possesses, it could bypass application-layer controls designed to restrict direct SQL access.
Statement: This Moderate flaw in pgAdmin 4 allows an authenticated user with an active PostgreSQL session to perform SQL injection. While it does not grant additional privileges, it enables the execution of arbitrary SQL statements through an unintended pathway, potentially bypassing
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12050 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
bugzilla·2026-06-19
CVE-2026-12050 [MEDIUM] CVE-2026-12050 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
CVE-2026-12050 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field was interpolated directly into the SQL string with str.format() instead of being passed as a bound parameter, allowing an authenticated pgAdmin user with a connected PostgreSQL session to inject additional statements through that endpoint.
The injected SQL executes under the database role the user is already authenticated as. The defect does not cross a privilege boundary -- the user already has direct SQL access to that role through the Query Tool -- so the attacker gains no capability beyond what their database role already grants them. The margi
Bugzilla
CVE-2026-12050 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint [fedora-all]
bugzilla·2026-06-19
CVE-2026-12050 [MEDIUM] CVE-2026-12050 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint [fedora-all]
CVE-2026-12050 pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-c248414214 (pgadmin4-9.16-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c248414214
---
FEDORA-2026-5938be3b09 (pgadmin4-9.16-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-5938be3b09
---
FEDORA-2026-c248414214 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with
2026-06-19
Published