CVE-2026-7815 pgadmin.org CVE debrief

Who should care

Organizations running pgAdmin 4 versions 7.6 through 9.14 for PostgreSQL database administration, particularly those granting tools_maintenance permissions to non-administrative users or exposing pgAdmin instances to less-trusted networks.

Technical summary

The pgAdmin 4 Maintenance Tool constructs VACUUM, ANALYZE, and REINDEX commands by directly concatenating user-supplied JSON values into psql --command invocations. The vulnerable parameters—buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, and reindex_tablespace—lack server-side validation or proper identifier quoting. An authenticated attacker with tools_maintenance permission can inject SQL metacharacters to terminate the intended command and execute arbitrary statements. The PostgreSQL COPY ... TO PROGRAM feature enables subsequent operating-system command execution on the database host. The remediation introduces strict allow-list validation for all four fields and replaces manual string concatenation with the qtIdent filter for reindex_tablespace, ensuring proper PostgreSQL identifier quoting.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade pgAdmin 4 to version 9.15 or later
• Restrict tools_maintenance permission to trusted administrative accounts only
• Monitor PostgreSQL query logs for suspicious COPY ... TO PROGRAM statements
• Review database user permissions to limit potential blast radius of compromised pgAdmin accounts
• Apply principle of least privilege for database connections from pgAdmin instances

Evidence notes

CVE published 2026-05-11; NVD entry modified 2026-05-26. Vendor advisory and patch available via GitHub issue #9898. CVSS 4.0 vector confirms network attack vector with low attack complexity, low privileges required, and high impact to confidentiality, integrity, and availability.

Official resources