pgAdmin 4 SQLi (CVE-2026-7815) Allows RCE on PostgreSQL Servers
The National Vulnerability Database has disclosed CVE-2026-7815, a critical SQL injection vulnerability in pgAdmin 4’s Maintenance Tool. This flaw stems from four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) being directly concatenated into VACUUM/ANALYZE/REINDEX commands. These commands are then passed to psql --command, creating a dangerous injection vector.
An authenticated user with tools_maintenance permissions can exploit this to break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. Crucially, the National Vulnerability Database notes that this injected SQL can further invoke COPY ... TO PROGRAM to achieve operating-system command execution on the database host, escalating the impact significantly. This is a full compromise chain from a privileged user to RCE.
pgAdmin 4 versions prior to 9.15 are affected. The fix involves server-side allow-listing for all four vulnerable fields and switching reindex_tablespace to use the qtIdent filter for proper quoting. With a CVSS score of 8.8 (HIGH), this isn’t theoretical; it’s a direct path to database and potentially server compromise.
What This Means For You
- If your organization uses pgAdmin 4, you need to immediately identify all instances running versions prior to 9.15. Patching to version 9.15 or later is non-negotiable. Furthermore, review your access controls for pgAdmin 4: ensure only strictly necessary personnel have `tools_maintenance` permissions. This vulnerability turns a privileged database user into a potential server-level attacker, so assume compromise if you are running unpatched versions and have active users.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7815 | SQLi | pgAdmin 4 Maintenance Tool |
| CVE-2026-7815 | SQLi | pgAdmin 4 versions before 9.15 |
| CVE-2026-7815 | RCE | Authenticated user with tools_maintenance permission can execute arbitrary SQL via VACUUM/ANALYZE/REINDEX command, leading to OS command execution via COPY ... TO PROGRAM. |
| CVE-2026-7815 | SQLi | Vulnerable JSON fields: buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 19:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable
CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...
OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs
CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...
OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver
CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...