SQL Injection Vulnerability in pgAdmin 4 by pgAdmin
CVE-2026-7815

8.7HIGH

Key Information:

Vendor: Pgadmin.org
Status: Pgadmin 4
Vendor: CVE Published:; 11 May 2026

🔔 Create Pgadmin.org Vulnerability Alert

What is CVE-2026-7815?

An SQL injection vulnerability exists in the pgAdmin 4 Maintenance Tool, allowing an authenticated user with appropriate permissions to inject arbitrary SQL commands. By manipulating four user-input JSON fields, the attacker can execute unauthorized SQL queries on the PostgreSQL server. This exploitation could lead to the execution of OS commands on the host database, posing serious security risks. The recent fix introduces a server-side allow-list for the affected fields to mitigate this risk, enhancing the security posture of pgAdmin 4.

Affected Version(s)

pgAdmin 4 7.6

References

https://github.com/pgadmin-org/pgadmin4/issues/9898

issue-tracking

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

j3seer

CVE-2026-7815 Data

JSON