cbcvebase.
CVE-2026-7816
published 2026-05-11

CVE-2026-7816: OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.44%
70.0th percentile
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.

Affected

2 ranges
VendorProductVersion rangeFixed in
pgadmin.orgpgadmin_4>= 9.4 < 9.159.15
pgadminpgadmin_4>= 9.4 < 9.159.15

Detection & IOCsextracted from sources · hover to see the quote

  • Detect injection of ') TO PROGRAM' pattern in pgAdmin Import/Export query export requests, indicating attempt to break out of psql \copy metacommand context for OS command execution
  • Detect injection of ') TO '/path'' pattern in pgAdmin Import/Export query export requests, indicating attempt to perform arbitrary file write via psql \copy metacommand breakout
  • Monitor pgAdmin 4 Import/Export query export functionality for user-supplied input in format, on_error, and log_verbosity fields containing unexpected or non-allowlisted values, as these fields were also raw-interpolated and exploitable
  • Flag any pgAdmin Import/Export export requests containing null bytes in the query field, as null byte injection was a known attack vector patched in 9.15
  • Alert on pgAdmin 4 versions before 9.15 handling Import/Export query export operations — all such versions are vulnerable to this OS command injection
  • ·Exploitation requires an authenticated pgAdmin session — unauthenticated attackers cannot trigger this vulnerability directly
  • ·The vulnerability is in the Import/Export query export feature specifically; the injection point is user-supplied input interpolated into a psql \copy metacommand template without sanitization
  • ·Command execution occurs on the pgAdmin server process, not the PostgreSQL database server — impact scope is the host running pgAdmin 4

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.