pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
Description
pgadmin4: pgAdmin 4: Arbitrary SQL execution via SQL injection in restore point endpoint
Affected products
1Patches
Vulnerability mechanics
Root cause
"User-supplied restore point name interpolated into SQL via str.format() instead of being passed as a bound parameter."
Attack vector
An authenticated attacker sends a crafted request to the named restore point endpoint with a malicious restore point name containing SQL metacharacters. Because the name is interpolated via `str.format()` rather than bound as a parameter, the attacker can inject arbitrary SQL statements. The vulnerability is reachable over the network with low complexity and requires only low-privilege authentication [patch_id=6590910].
Affected code
The named restore point endpoint in pgAdmin 4 interpolated the user-supplied restore point name into SQL via `str.format()` instead of passing it as a bound parameter. This is referenced in the patch notes for Issue #10026 [patch_id=6590910].
What the fix does
The patch switches from `str.format()` to using bound parameters for the restore point name, preventing SQL injection. The commit message explicitly states that the user-supplied restore point name was previously interpolated into SQL via `str.format()` instead of being passed as a bound parameter [patch_id=6590910]. No further code diff is shown in the bundle.
Preconditions
- authThe attacker must be authenticated to pgAdmin 4
- networkThe attacker must have network access to the named restore point endpoint
- inputThe attacker supplies a malicious restore point name containing SQL metacharacters
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.