{“lastseen”:””,”description”:”Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user’s database role.\\n\\nThe AI Assistant’s execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.\\n\\nDelivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user’s role the attacker can perform unauthorised data modification. When the pgAdmin user’s role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY … TO PROGRAM.\\n\\nFix validates the LLM-supplied query up front: it must parse to exactly one non-empty \/ non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET\/RESET, and everything else are rejected before any database work happens. PostgreSQL’s READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.\\n\\nThis issue affects pgAdmin 4: from 9.13 before 9.16.”,”published”:”2026-06-18T23:37:35.182Z”,”modified”:”2026-06-18T23:37:35.182Z”,”type”:”cve”,”title”:”pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution”,”source”:”PostgreSQL”,”references”:”https:\/\/github.com\/pgadmin-org\/pgadmin4\/issues\/10022\\nhttps:\/\/github.com\/pgadmin-org\/pgadmin4\/commit\/bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b”,”id”:”CVE-2026-12045″,”bulletinFamily”:””,”cwe”:[“CWE-89″,”CWE-77″],”cvelist”:null,”sourceData”:”pgadmin.org pgAdmin 4 9.13″,”sourceHref”:””,”cvss”:{“score”:9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”pgAdmin 4″,”version”:”9.13″,”vendor”:”pgadmin.org”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,86,12,13,7,11,5],"class_list":["post-64305","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-90","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n