CVE-2026-7815
April 10, 2026
SQL injection vulnerability in the pgAdmin 4 Maintenance Tool.
Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.
The fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.
Affected versions
pgAdmin 4 >= 7.6, < 9.15
Severity
- CVSS 3.1: 8.8 (HIGH) —
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
- CVE: CVE-2026-7815
- Release notes: pgAdmin 4 9.15
Timeline
| Date | Event |
|---|---|
| 2026-04-14 | Vulnerability communicated to the pgAdmin 4 security team |
| 2026-05-01 | Vulnerability acknowledged and validated |
| 2026-05-11 | Issue published and fixed in v9.15 |