2469114 – (CVE-2026-7816) CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout

Bug 2469114 (CVE-2026-7816) - CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export via psql metacommand breakout

Summary: CVE-2026-7816 pgadmin4: OS command injection in Import/Export query export vi...

Keywords:
Status:	NEW
Alias:	CVE-2026-7816
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2476791
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-11 16:04 UTC by OSIDB Bzimport
Modified:	2026-05-13 14:05 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-11 16:04:39 UTC

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.

Note You need to log in before you can comment on or make changes to this bug.