pgAdmin 4 CVE-2026-7816: OS Command Injection via Query Export

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycommand-injection
pgAdmin 4 CVE-2026-7816: OS Command Injection via Query Export

The National Vulnerability Database has detailed CVE-2026-7816, a critical OS command injection vulnerability (CWE-78) affecting pgAdmin 4 versions prior to 9.15. This flaw resides in the Import/Export query export functionality, where user-supplied input was directly interpolated into psql \copy metacommand templates without proper sanitization. This is a classic injection scenario, ripe for abuse.

An authenticated attacker could exploit this by injecting ") TO PROGRAM 'cmd'" to break out of the \copy (...) context, leading to arbitrary command execution on the pgAdmin server. Alternatively, ") TO '/path'" could facilitate arbitrary file writes. The National Vulnerability Database notes that additional fields such as format, on_error, and log_verbosity were also vulnerable to raw interpolation, expanding the attack surface.

To remediate this, pgAdmin 4 versions 9.15 and later implement a parens-balance parser, modeled after psql’s strtokx tokenizer. The fix also allow-lists format, on_error, and log_verbosity parameters, rejects null bytes in queries, and tightens type and gating checks. This is a high-severity vulnerability with a CVSS score of 8.8, underscoring the immediate risk to affected environments.

What This Means For You

  • If your organization uses pgAdmin 4, you must immediately verify your version. Any installation running pgAdmin 4 prior to 9.15 is exposed to authenticated remote command execution via CVE-2026-7816. Patching to version 9.15 or newer is non-negotiable to prevent attackers from gaining control of your database server infrastructure.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7816: pgAdmin 4 OS Command Injection via Query Export

Sigma YAML — free preview 
title: CVE-2026-7816: pgAdmin 4 OS Command Injection via Query Export
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit pattern for CVE-2026-7816 in pgAdmin 4. The vulnerability allows OS command injection when exporting queries. This rule looks for POST requests to the '/export_query' endpoint containing the specific payload pattern ") TO PROGRAM '" which indicates an attempt to execute arbitrary commands on the pgAdmin server.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7816/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/export_query'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - ") TO PROGRAM '"
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7816 Command Injection pgAdmin 4 versions before 9.15
CVE-2026-7816 Command Injection CWE-78
CVE-2026-7816 Command Injection pgAdmin 4 Import/Export query export functionality
CVE-2026-7816 Arbitrary File Write pgAdmin 4 Import/Export query export functionality

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 19:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable

CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 2 Sigma

OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs

CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...

vulnerabilityCVEhigh-severityimproper-access-controlcwe-184
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver

CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...

vulnerabilityCVEhigh-severitycode-executioncwe-427
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 5 IOCs /⚙ 3 Sigma