2469082 – (CVE-2026-7815) CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution

Bug 2469082 (CVE-2026-7815) - CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leading to remote code execution

Summary: CVE-2026-7815 pgadmin4: SQL injection in maintenance tool option values leadi...

Keywords:
Status:	NEW
Alias:	CVE-2026-7815
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2476787
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-11 16:02 UTC by OSIDB Bzimport
Modified:	2026-05-13 14:01 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-11 16:02:20 UTC

SQL injection vulnerability in pgAdmin 4 Maintenance Tool.

Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.

Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.

This issue affects pgAdmin 4: before 9.15.

Note You need to log in before you can comment on or make changes to this bug.