CVE-2026-7816
Description
OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject ") TO PROGRAM 'cmd'" to break out of the \copy (...) context and achieve arbitrary command execution on the pgAdmin server, or ") TO '/path'" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.
Fix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.
This issue affects pgAdmin 4: before 9.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pgadmin4PyPI | < 9.15 | 9.15 |
Affected products
3(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:pgadmin:pgadmin_4:*:*:*:*:*:postgresql:*:*range: >=9.4,<9.15
Patches
Vulnerability mechanics
References
4- github.com/pgadmin-org/pgadmin4/issues/9899nvdIssue TrackingPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-j74f-g7vx-fh4xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7816ghsaADVISORY
- github.com/pgadmin-org/pgadmin4/commit/13badc62cghsaWEB
News mentions
0No linked articles in our index yet.