pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout
CVE-2026-7816

8.7HIGH

Key Information:

Vendor: Pgadmin.org
Status: Pgadmin 4
Vendor: CVE Published:; 11 May 2026

🔔 Create Pgadmin.org Vulnerability Alert

What is CVE-2026-7816?

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.

Affected Version(s)

pgAdmin 4 9.4

References

https://github.com/pgadmin-org/pgadmin4/issues/9899

issue-tracking

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

Chung Kim (chungkn), OneMount Group

CVE-2026-7816 Data

JSON