CVE-2026-7815
published 2026-05-11CVE-2026-7815: SQL injection vulnerability in pgAdmin 4 Maintenance Tool. Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.46%
36.3th percentile
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.
Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.
This issue affects pgAdmin 4: before 9.15.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | >= 7.6 < 9.15 | 9.15 |
| pgadmin | pgadmin_4 | >= 7.6 < 9.15 | 9.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor pgAdmin 4 maintenance tool requests where JSON fields buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, or reindex_tablespace contain SQL metacharacters or statement terminators (e.g., ';', '--', or SQL keywords) indicative of injection attempts. ↗
- →Alert on PostgreSQL audit logs showing COPY ... TO PROGRAM statements originating from pgAdmin maintenance tool sessions, as this is the OS command escalation vector. ↗
- →Restrict or audit use of the tools_maintenance permission in pgAdmin 4; exploitation requires an authenticated user holding this permission. ↗
- →Flag pgAdmin 4 instances running versions before 9.15 as unpatched and prioritize upgrade; the fix introduces server-side allow-listing and the qtIdent filter for reindex_tablespace. ↗
- ·Exploitation requires authentication to pgAdmin 4 and possession of the tools_maintenance permission; unauthenticated or unprivileged users cannot trigger the injection. ↗
- ·OS-level command execution via COPY ... TO PROGRAM depends on the PostgreSQL server's configuration permitting that command (typically requires superuser or pg_execute_server_program role on the DB side). ↗
- ·The patch switches reindex_tablespace to the qtIdent filter and adds server-side allow-listing for all four injectable fields; environments that have applied pgAdmin 4 ≥ 9.15 (or Fedora updates FEDORA-2026-68f6155fea / FEDORA-2026-1545df20ad) are remediated. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL injection vulnerability in pgAdmin 4 Maintenance Tool
ghsa·2026-05-11
CVE-2026-7815 [HIGH] CWE-89 SQL injection vulnerability in pgAdmin 4 Maintenance Tool
SQL injection vulnerability in pgAdmin 4 Maintenance Tool
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.
Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.
This issue affects pgAdmin 4: before 9
GHSA
GHSA-hp84-p2gq-6fvr: SQL injection vulnerability in pgAdmin 4 Maintenance Tool
ghsa_unreviewed·2026-05-11
CVE-2026-7815 [HIGH] CWE-89 GHSA-hp84-p2gq-6fvr: SQL injection vulnerability in pgAdmin 4 Maintenance Tool
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.
Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.
This issue affects pgAdmin 4: before 9.15.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution [fedora-all]
bugzilla·2026-05-12·CVSS 8.7
CVE-2026-7815 [HIGH] CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution [fedora-all]
CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-68f6155fea (pgadmin4-9.15-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-68f6155fea
---
FEDORA-2026-1545df20ad (pgadmin4-9.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-1545df20ad
Bugzilla
CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution
bugzilla·2026-05-11·CVSS 8.7
CVE-2026-7815 [HIGH] CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution
CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution
SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.
Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent
2026-05-11
Published