CVE-2026-12045 pgadmin.org CVE debrief

Who should care

PostgreSQL database administrators, pgAdmin users, and security teams responsible for monitoring and patching database software should be aware of this critical vulnerability and take immediate action to mitigate the risk.

Technical summary

The pgAdmin 4 AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper. However, it fails to restrict the query to a single statement or read-only verbs, allowing a multi-statement payload to terminate the read-only transaction and execute subsequent statements in autocommit mode. An attacker can inject a payload starting with COMMIT, END, ROLLBACK, or ABORT to bypass the read-only restriction. The fix validates the LLM-supplied query upfront, ensuring it parses to exactly one non-empty, non-comment statement with a leading real token that is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE.

Defensive priority

High

Recommended defensive actions

• Update pgAdmin 4 to version 9.16 or later
• Restrict write privileges on the pgAdmin user's role
• Monitor database activity for suspicious queries
• Implement additional security measures, such as query whitelisting
• Review and update incident response plans
• Consider disabling the AI Assistant feature until further updates

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. The source references include links to the pgAdmin 4 GitHub repository, which contains the fix and more details about the issue.

Official resources