Volerion logoVolerion
Volerion logoVolerion

pgAdmin 4 SQL Injection Vulnerability in Maintenance Tool Allowing Arbitrary SQL Execution

Vulnerability

A SQL injection vulnerability has been identified in the pgAdmin 4 Maintenance Tool, affecting versions 7.6 through 9.14. The issue arises because four user-supplied JSON fields—buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespace—were directly concatenated into the VACUUM, ANALYZE, or REINDEX command and passed to psql --command. This vulnerability allows an authenticated user with tools_maintenance permission to break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could then use COPY ... TO PROGRAM to escalate to operating-system command execution on the database host.

Impact

Exploitation of this vulnerability allows for SQL injection, with the potential to execute arbitrary SQL commands on the connected PostgreSQL server. This could be further escalated to execute operating-system commands on the database host.

Remediation

This vulnerability has been fixed in pgAdmin 4 version 9.15. Users should upgrade to this version.

Added: May 11, 2026, 4:27 PM
Updated: May 11, 2026, 4:27 PM

Vulnerability Rating

Custom Algorithm
spread
6.8
impact
10.0
exploitability
4.9
remediation
7.7
relevance
8.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.