Description
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.

The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.

Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM.

Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.

This issue affects pgAdmin 4: from 9.13 before 9.16.
Published: 2026-06-18
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Read‑only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user’s database role. The LLM‑generated query is forwarded to the database driver without restricting it to a single statement or to read‑only verbs, so a multi‑statement payload beginning with COMMIT, END, ROLLBACK, or ABORT breaks the read‑only wrapper and runs subsequent statements in autocommit mode, leaving the trailing ROLLBACK ineffective. When the pgAdmin user holds ordinary database privileges, this permits unauthorized data modification; if the user is a superuser or has pg_execute_server_program, the chain extends to remote code execution on the database server through COPY … TO PROGRAM.

Affected Systems

This flaw affects pgAdmin 4 distributed by pgadmin.org. The vulnerable code is present in releases starting with version 9.13 up to, but not including, version 9.16. On any installation of those releases that has the AI Assistant enabled and where the attacker can inject data into objects the assistant reads, the vulnerability is exploitable.

Risk and Exploitability

The CVSS score of 9.4 classifies the issue as critical, and while the EPSS score is not available, the lack of a CISA KEV listing does not diminish the risk of exploitation. Attackers can reach the AI Assistant through the web interface, performing prompt injection by writing content into rows, columns or comments that the assistant processes. From ordinary write privileges the attacker can alter data, whereas a higher‑privileged pgAdmin user can execute arbitrary shell commands on the database host, making this a serious remote code execution vector with wide impact.

Generated by OpenCVE AI on June 19, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest pgAdmin 4 release (9.16 or newer) which introduces validation against non‑read‑only SQL and restricts transaction‑control verbs before the query reaches the database.
  • If an immediate upgrade is impossible, disable the AI Assistant feature or restrict its use to trusted users and prevent the pgAdmin role from having superuser or pg_execute_server_program privileges.
  • Reduce the privileges of the pgAdmin database user to the minimal set required for normal operation, ensuring it never has rights that could allow execution of server‑side programs.
  • Enable logging of all AI Assistant tool calls and monitor for unexpected SQL statements or repeated attempt patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 19, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role. The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect. Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM. Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects. This issue affects pgAdmin 4: from 9.13 before 9.16.
Title pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution
Weaknesses CWE-77
CWE-89
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-06-18T23:37:35.182Z

Reserved: 2026-06-11T20:40:06.461Z

Link: CVE-2026-12045

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')