CVE-2026-7816
published 2026-05-11CVE-2026-7816: OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.44%
70.0th percentile
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affects pgAdmin 4: before 9.15.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | >= 9.4 < 9.15 | 9.15 |
| pgadmin | pgadmin_4 | >= 9.4 < 9.15 | 9.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect injection of ') TO PROGRAM' pattern in pgAdmin Import/Export query export requests, indicating attempt to break out of psql \copy metacommand context for OS command execution ↗
- →Detect injection of ') TO '/path'' pattern in pgAdmin Import/Export query export requests, indicating attempt to perform arbitrary file write via psql \copy metacommand breakout ↗
- →Monitor pgAdmin 4 Import/Export query export functionality for user-supplied input in format, on_error, and log_verbosity fields containing unexpected or non-allowlisted values, as these fields were also raw-interpolated and exploitable ↗
- →Flag any pgAdmin Import/Export export requests containing null bytes in the query field, as null byte injection was a known attack vector patched in 9.15 ↗
- →Alert on pgAdmin 4 versions before 9.15 handling Import/Export query export operations — all such versions are vulnerable to this OS command injection ↗
- ·Exploitation requires an authenticated pgAdmin session — unauthenticated attackers cannot trigger this vulnerability directly ↗
- ·The vulnerability is in the Import/Export query export feature specifically; the injection point is user-supplied input interpolated into a psql \copy metacommand template without sanitization ↗
- ·Command execution occurs on the pgAdmin server process, not the PostgreSQL database server — impact scope is the host running pgAdmin 4 ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j74f-g7vx-fh4x: OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export
ghsa_unreviewed·2026-05-11
CVE-2026-7816 [HIGH] CWE-89 GHSA-j74f-g7vx-fh4x: OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affects pgAdmin 4: before 9.15.
GHSA
pgAdmin 4: OS command injection vulnerability in Import/Export query export
ghsa·2026-05-11
CVE-2026-7816 [HIGH] CWE-89 pgAdmin 4: OS command injection vulnerability in Import/Export query export
pgAdmin 4: OS command injection vulnerability in Import/Export query export
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affects pgAdmin 4: before 9.15.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout [fedora-all]
bugzilla·2026-05-12·CVSS 8.7
CVE-2026-7816 [HIGH] CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout [fedora-all]
CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-68f6155fea (pgadmin4-9.15-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-68f6155fea
---
FEDORA-2026-1545df20ad (pgadmin4-9.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-1545df20ad
Bugzilla
CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout
bugzilla·2026-05-11·CVSS 8.7
CVE-2026-7816 [HIGH] CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout
CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affect
2026-05-11
Published