pgAdmin 4 Vulnerabilities Grant Access to Open Redirect Abuse

EXECUTIVE SUMMARY:

Four vulnerabilities have been discovered in pgAdmin 4, the open-source graphical administration tool for PostgreSQL databases. The flaws span several classes, including SQL injection, cross-site scripting (XSS), authentication bypass, deserialization, and open-redirect weaknesses. Exploitation could allow attackers to execute arbitrary SQL commands, inject malicious scripts into the interface, bypass read-only transaction controls, or gain unauthorized access to database management functions. For organizations that rely on pgAdmin for database administration, successful attacks may lead to data exfiltration, credential theft, unauthorized database modification, and potential service disruption, increasing overall operational risk.[emaillocker id="1283"]

CVE-2026-12044 with a CVSS score of 8.8 – A SQL injection vulnerability affects sixteen dialog templates where user‑controlled input is not properly sanitized, enabling an attacker to craft malicious queries that run with the privileges of the pgAdmin process.

CVE-2026-12047 with a CVSS score of 4.8 – An HTML injection issue in cloud deployment integrations renders unsanitized SDK error messages in the browser, enabling attackers to insert arbitrary HTML content.

CVE-2026-12049 with a CVSS score of 5.3 – An open‑redirect vulnerability in multi‑factor authentication flows can redirect users to attacker‑controlled sites, facilitating phishing or session hijacking.

CVE-2026-12050 with a CVSS score of 4.3 – A SQL injection bug in the restore point feature permits user input to be inserted into SQL queries without proper parameterization, allowing execution of arbitrary database commands.

RECOMMENDATION:

• We recommend you to update pgAdmin 4 to version 9.16 or later.

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/pgadmin-4-released/