PatchSiren cyber security CVE debrief

CVE-2026-12044 pgadmin.org CVE debrief

CVE-2026-12044 is a SQL injection vulnerability in pgAdmin 4, a popular administration tool for PostgreSQL databases. The vulnerability affects versions from 1.0 before 9.16 and allows an authenticated user to inject arbitrary SQL code. The issue arises from the improper handling of user-supplied description fields in various dialog templates, including Domains, Foreign Tables, Languages, and Event Triggers. An attacker with permission to create or alter these objects can submit a malicious description containing an apostrophe, which can be used to break out of the literal and execute arbitrary SQL code. The injected SQL runs under the PostgreSQL role the user is already authenticated as, potentially leading to OS command execution if the role has elevated privileges.

Vendor: pgadmin.org
Product: pgAdmin 4
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-19
Original CVE updated: 2026-06-22
Advisory published: 2026-06-19
Advisory updated: 2026-06-22

Who should care

Administrators and users of pgAdmin 4, especially those with elevated privileges, should be aware of this vulnerability and take immediate action to update to a patched version. Additionally, developers and security teams should review the patch and apply similar fixes to other potentially vulnerable areas.

Technical summary

The vulnerability is caused by the direct interpolation of user-supplied description fields into SQL literals without proper escaping. The affected templates include Domains, Foreign Tables, Languages, and Event Triggers. The issue can be exploited by an authenticated user with permission to create or alter these objects. The patch involves replacing the vulnerable code with a safer approach using the `qtLiteral` escape filter and addressing related issues in the `pgstattuple` and `pgstatindex` stats templates.

Defensive priority

High

Recommended defensive actions

Update pgAdmin 4 to version 9.16 or later
Review and apply the patch to affected templates
Use the `qtLiteral` escape filter for user-supplied description fields
Restrict permissions for creating and altering objects
Monitor for suspicious activity and SQL injection attempts
Implement additional security measures, such as Query Tool gating

Evidence notes

The vulnerability was reported against the Domain Dialog description field and was found to affect multiple areas of pgAdmin 4. The patch involves a layered approach, including replacing vulnerable code, hardening the `qtLiteral` function, and adding regression tests.

Official resources

CVE-2026-12044 CVE record
CVE.org
CVE-2026-12044 NVD detail
NVD
Source item URL
nvd_modified
Source reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
Source reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
Source reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

public