Description
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw embedded in pgAdmin 4’s Import/Export query export allows an authenticated user to weave shell commands into a psql \copy metacommand. By supplying an input such as ") TO PROGRAM 'cmd'", the attacker can break out of the expected context and run arbitrary programs on the host running pgAdmin, or spawn file writes with ") TO '/path'". The flaw also exists for other fields—format, on_error, log_verbosity—owing to raw interpolation, thereby expanding the attack surface. The vulnerability essentially grants the attacker remote code execution capabilities. The CVE records list this vulnerability as CWE-89.

Affected Systems

pgAdmin 4 built prior to version 9.15 from pgadmin.org. All users running these releases should evaluate the severity and plan remediation.

Risk and Exploitability

The CVSS score of 8.7 marks the issue as high severity. EPSS data is unavailable, and the vulnerability does not appear in the CISA KEV catalog, implying no publicly confirmed exploits yet. Nevertheless, the flaw requires merely local authentication to pgAdmin, which is typically granted to database administrators. Given the potential for arbitrary code execution or file overwrite on the host, the risk to confidentiality, integrity, and availability is significant.

Generated by OpenCVE AI on May 11, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pgAdmin 4 version 9.15 or later to enable the added parens‑balance parser and input validation
  • If an upgrade is not immediately possible, restrict or disable Import/Export functionality for any untrusted users until the patches are applied
  • Monitor system logs for unexpected \copy statements or execution of unknown programs originating from the pgAdmin interface

Generated by OpenCVE AI on May 11, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable. Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-11T16:08:46.148Z

Reserved: 2026-05-04T21:26:58.164Z

Link: CVE-2026-7816

cve-icon Vulnrichment

Updated: 2026-05-11T16:08:42.394Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:38.260

Modified: 2026-05-11T17:16:35.000

Link: CVE-2026-7816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses