cbcvebase.
CVE-2026-7815
published 2026-05-11

CVE-2026-7815: SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.46%
36.3th percentile
SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host. Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter. This issue affects pgAdmin 4: before 9.15.

Affected

2 ranges
VendorProductVersion rangeFixed in
pgadmin.orgpgadmin_4>= 7.6 < 9.159.15
pgadminpgadmin_4>= 7.6 < 9.159.15

Detection & IOCsextracted from sources · hover to see the quote

commandpsql --command
commandCOPY ... TO PROGRAM
  • Monitor pgAdmin 4 maintenance tool requests where JSON fields buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, or reindex_tablespace contain SQL metacharacters or statement terminators (e.g., ';', '--', or SQL keywords) indicative of injection attempts.
  • Alert on PostgreSQL audit logs showing COPY ... TO PROGRAM statements originating from pgAdmin maintenance tool sessions, as this is the OS command escalation vector.
  • Restrict or audit use of the tools_maintenance permission in pgAdmin 4; exploitation requires an authenticated user holding this permission.
  • Flag pgAdmin 4 instances running versions before 9.15 as unpatched and prioritize upgrade; the fix introduces server-side allow-listing and the qtIdent filter for reindex_tablespace.
  • ·Exploitation requires authentication to pgAdmin 4 and possession of the tools_maintenance permission; unauthenticated or unprivileged users cannot trigger the injection.
  • ·OS-level command execution via COPY ... TO PROGRAM depends on the PostgreSQL server's configuration permitting that command (typically requires superuser or pg_execute_server_program role on the DB side).
  • ·The patch switches reindex_tablespace to the qtIdent filter and adds server-side allow-listing for all four injectable fields; environments that have applied pgAdmin 4 ≥ 9.15 (or Fedora updates FEDORA-2026-68f6155fea / FEDORA-2026-1545df20ad) are remediated.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.