Introduction
A SQL injection flaw in pgAdmin 4's Maintenance Tool allows an authenticated user to pivot from a simple parameter injection into full operating system command execution on the database host. For organizations relying on pgAdmin as their primary PostgreSQL management interface, this vulnerability (scored CVSS 8.8) represents a direct path from a web application compromise to control of the underlying server.
pgAdmin is the most popular and feature rich open source administration and development platform for PostgreSQL. It serves as the default graphical management tool for PostgreSQL deployments across enterprises, cloud environments, and development teams worldwide. Given its role as the primary administrative interface for one of the most widely deployed open source databases, security issues in pgAdmin have outsized impact.
Technical Information
The root cause of CVE-2026-7815 lies in the pgAdmin 4 Maintenance Tool's construction of SQL commands for VACUUM, ANALYZE, and REINDEX operations. Four user supplied JSON fields are concatenated directly into the rendered command string and passed to psql --command without sanitization or validation:
| Vulnerable JSON Field | Affected Commands |
|---|---|
buffer_usage_limit | VACUUM, ANALYZE, REINDEX |
vacuum_parallel | VACUUM, ANALYZE, REINDEX |
vacuum_index_cleanup | VACUUM, ANALYZE, REINDEX |
reindex_tablespace | VACUUM, ANALYZE, REINDEX |
When a maintenance operation is triggered through the pgAdmin web interface, the backend takes the values from these JSON fields and embeds them directly into the SQL command string. There is no allow listing, no parameterized construction, and (in the case of reindex_tablespace) only manual quoting that can be bypassed.
Attack Flow
The exploitation chain works as follows:
-
Authentication: The attacker authenticates to the pgAdmin 4 web interface. They must hold the
tools_maintenancepermission, which grants access to the Maintenance Tool. -
Payload Delivery: The attacker initiates a maintenance operation (for example, a VACUUM) and supplies a crafted value in one of the four vulnerable JSON fields. The payload is designed to break out of the expected option syntax.
-
Command Construction: The pgAdmin backend concatenates the attacker controlled value directly into the SQL command string without validation.
-
Execution via psql: The constructed command is passed to
psql --commandfor execution against the connected PostgreSQL server. The injected SQL executes with the privileges of the active database connection. -
OS Command Escalation: To escalate beyond database level access, the attacker leverages PostgreSQL's
COPY ... TO PROGRAMstatement. This built in PostgreSQL feature (available to superusers) allows execution of arbitrary operating system commands on the database host, running with the privileges of the PostgreSQL service account.
The COPY ... TO PROGRAM escalation path is well documented and requires no novel techniques. If the pgAdmin connection uses a superuser role, which is common in administrative deployments, the path from SQL injection to full OS command execution is direct.
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The low attack complexity and lack of required user interaction, combined with high impact across all three CIA triad dimensions, justify the 8.8 score.
Fix Details
The vendor remediation in version 9.15 (commit cf53953d9) addresses the issue through two changes:
- Server side allow listing for all four vulnerable JSON fields, ensuring only expected values pass through.
- Replacing manual quoting of
reindex_tablespacewith theqtIdentfilter, which provides proper PostgreSQL identifier escaping.
Affected Systems and Versions
The vulnerability affects pgAdmin 4 versions from 7.6 up to (but not including) 9.15. Any deployment running a version in this range with the Maintenance Tool accessible to users holding the tools_maintenance permission is vulnerable.
The fixed version is pgAdmin 4 9.15.
Vendor Security History
pgAdmin has exhibited a pattern of command execution vulnerabilities in its operational tooling:
| CVE Identifier | Affected Version | Vulnerability Type | Impact |
|---|---|---|---|
| CVE-2026-7815 | 7.6 to before 9.15 | SQL Injection | OS Command Execution via COPY TO PROGRAM |
| CVE-2026-1707 | 9.11 | Restore Restriction Bypass | Command execution during restore operations |
CVE-2026-1707 allowed attackers with web interface access to extract a restriction key and overwrite restore scripts, resulting in reliable command execution on the pgAdmin host. The recurrence of command execution risks in pgAdmin's administrative tooling highlights the importance of treating pgAdmin instances as high value targets and applying updates promptly.



