PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12050 pgadmin.org CVE debrief

CVE-2026-12050 is a SQL injection vulnerability in pgAdmin 4's named restore point endpoint. The issue allows an authenticated pgAdmin user with a connected PostgreSQL session to inject additional SQL statements. However, the injected SQL executes under the database role the user is already authenticated as, meaning the attacker gains no capability beyond what their database role already grants them.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-06-29
Advisory published
2026-06-19
Advisory updated
2026-06-29

Who should care

pgAdmin 4 users with a connected PostgreSQL session, particularly those with elevated database roles, should be aware of this vulnerability. Although the impact is marginal due to the lack of privilege escalation, deployments that gate the Query Tool at the application layer could still see unexpected SQL execution.

Technical summary

The vulnerability exists in the named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}) of pgAdmin 4. The user-supplied 'value' field is interpolated directly into the SQL string using str.format() instead of being passed as a bound parameter. This allows for SQL injection, but the execution is limited to the user's current database role. The fix involves passing the restore point name as a bound parameter and schema-qualifying the function call as pg_catalog.pg_create_restore_point.

Defensive priority

Medium priority should be given to patching this vulnerability, especially in environments where authenticated users have elevated database roles or where the Query Tool is gated at the application layer.

Recommended defensive actions

  • Apply the patch (version 9.16 or later) to fix the SQL injection vulnerability.
  • Review and update database roles and permissions to ensure principle of least privilege.
  • Monitor for suspicious SQL activity, particularly in the context of authenticated pgAdmin users.
  • Consider compensating controls such as additional authentication or authorization checks for sensitive database operations.
  • Inventory pgAdmin 4 installations and prioritize patching based on risk and exposure.

Evidence notes

The CVE record was published on 2026-06-19T00:16:47.517Z and was last modified on 2026-06-29T15:15:52.040Z. The NVD entry is currently Analyzed. The vulnerability affects pgAdmin 4 versions from 1.0 before 9.16.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.517Z and has not been modified since then. The NVD entry is currently Analyzed.