Threat Advisory

Critical pgAdmin 4 Vulnerabilities Enable Remote Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in pgAdmin 4, the widely deployed graphical management tool for PostgreSQL, affecting versions prior to 9.16. The flaws encompass remote code execution through unauthenticated pickle deserialization, an authentication bypass that enables unauthorized writes via the AI Assistant, and a stored cross‑site scripting issue that can inject malicious HTML into the interface. Exploitation could allow attackers to execute arbitrary code on the management server, compromise database integrity, and conduct phishing or data exfiltration campaigns. The combined impact threatens the confidentiality, integrity, and availability of critical data assets across organizations that rely on shared or server‑mode pgAdmin deployments.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in pgAdmin 4, the widely deployed graphical management tool for PostgreSQL, affecting versions prior to 9.16. The flaws encompass remote code execution through unauthenticated pickle deserialization, an authentication bypass that enables unauthorized writes via the AI Assistant, and a stored cross‑site scripting issue that can inject malicious HTML into the interface. Exploitation could allow attackers to execute arbitrary code on the management server, compromise database integrity, and conduct phishing or data exfiltration campaigns. The combined impact threatens the confidentiality, integrity, and availability of critical data assets across organizations that rely on shared or server‑mode pgAdmin deployments.[emaillocker id="1283"]

  • CVE-2026-12048 with a CVSS score of 9.3 – Stored XSS in error and plan-node rendering allows a low‑privilege user to embed malicious HTML, which executes in the victim's browser and can be used for phishing or session hijacking.
  • CVE-2026-12046 with a CVSS score of 9.5 – Unauthenticated pickle deserialization on SQL Editor close and update_connection endpoints permits remote code execution if the attacker obtains the server's secret key and write access to the session directory.
  • CVE-2026-12045 with a CVSS score of 9.4 – AI Assistant prompt injection bypasses read‑only transaction controls, enabling crafted multi‑statement payloads to write data or trigger command execution via COPY TO PROGRAM.

These critical flaws collectively expose pgAdmin deployments to code execution, data manipulation, and credential theft, demanding immediate attention from administrators. If left unaddressed, attackers could compromise database servers, disrupt operations, and erode trust with customers and partners. Rapid remediation is essential to protect the confidentiality and continuity of your data services.

RECOMMENDATION:

  • We recommend you to update pgAdmin 4 to version 9.16.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/pgadmin-4-vulnerabilities/

[/emaillocker]
crossmenu