Home

Description

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-11 | Updated 2026-05-11 | Assigner PostgreSQL




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Authenticated pgAdmin user with tools_import_export permission. Command execution occurs in the pgAdmin process, which is the same security authority as the application itself; S:U reflects no scope change. Whether this is a privilege escalation depends on whether the attacker had other shell access to the pgAdmin host.

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Authenticated pgAdmin user with tools_import_export permission. Command execution occurs in the pgAdmin process, which is the same security authority as the application itself; S:U reflects no scope change. Whether this is a privilege escalation depends on whether the attacker had other shell access to the pgAdmin host.

Product status

Default status
affected

9.4 (custom) before 9.15
affected

Credits

Chung Kim (chungkn), OneMount Group finder

References

github.com/pgadmin-org/pgadmin4/issues/9899 issue-tracking

cve.org (CVE-2026-7816)

nvd.nist.gov (CVE-2026-7816)

Download JSON