8.8
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affects pgAdmin 4: before 9.15.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affects pgAdmin 4: before 9.15.
AI Analysis
OS command injection vulnerability in pgAdmin 4 Import/Export query export via psql metacommand breakout
Basic Information
ID
CVE-2026-7816
Source
PostgreSQL
Published
May 11, 2026 at 14:35
Affected Product
Vendor
pgadmin.org
Product
pgAdmin 4
Version
9.4
Affected Versions
pgadmin.org pgAdmin 4 9.4
AI Assessment
AI Score
8.8 / 10
AI Severity
High
Vendor
The pgAdmin Development Team
Product
pgAdmin 4
Version
before 9.15