Description
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in pgAdmin 4’s Import/Export query export process, allowing an attacker to inject malformed \\copy metacommand syntax such as ") TO PROGRAM 'cmd'". The injected payload escaping the \\copy context enables the execution of arbitrary programs on the host where pgAdmin 4 is running, as well as arbitrary file writes using ") TO '/path'". The vulnerability also afflicts other interpolated fields (format, on_error, log_verbosity), extending the potential attack surface.

Affected Systems

pgAdmin 4 versions from pgadmin.org before 9.15 are impacted. Any system running a pre‑9.15 build of pgAdmin 4 should evaluate the risk, as the flaw can be exploited by users with authentication to the pgAdmin web interface.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity, while the EPSS score of < 1% indicates a very low likelihood of exploitation at present and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires an authenticated session to the pgAdmin web interface and is therefore a local privilege escalation for legitimate database administrators. If leveraged, the flaw can compromise confidentiality, integrity, and availability by allowing arbitrary code execution or modification of files on the host running pgAdmin 4.

Generated by OpenCVE AI on May 26, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pgAdmin 4 version 9.15 or later to apply the added parens‑balance parser and input validation
  • If an upgrade is not immediately possible, limit or disable the Import/Export feature for untrusted users until the patch is applied
  • Monitor system logs for unexpected \\copy statements or execution of unknown programs originating from the pgAdmin interface

Generated by OpenCVE AI on May 26, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j74f-g7vx-fh4x pgAdmin 4: OS command injection vulnerability in Import/Export query export
History

Tue, 26 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-26T13:39:15.001Z

Reserved: 2026-05-04T21:26:58.164Z

Link: CVE-2026-7816

cve-icon Vulnrichment

Updated: 2026-05-11T16:08:42.394Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T16:17:38.260

Modified: 2026-05-26T15:16:56.457

Link: CVE-2026-7816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T17:00:13Z

Weaknesses