CVE-2026-12044
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection in pgAdmin 4 across every dialog template that renders COMMENT ON ... IS '<description>' for a user-supplied description field. The Jinja templates for Domains (and their constraints), Foreign Tables, Languages, and Event Triggers, plus the Views OID-lookup query, interpolated the description directly inside a single-quoted SQL literal – '{{ data.description }}' – instead of passing it through the qtLiteral escape filter. An authenticated pgAdmin user with permission to create or alter the affected object types could submit a description containing an apostrophe, break out of the literal and chain arbitrary SQL. The injected SQL runs under the PostgreSQL role the user is already authenticated as; for a connected role with COPY ... TO/FROM PROGRAM (typically PostgreSQL superuser), this chains to OS command execution on the PostgreSQL host. The defect does not cross a privilege boundary – the user already has direct SQL access to that role through pgAdmin's Query Tool – so the attacker gains no capability beyond what their database role already grants. The marginal impact captures bypass of any application-layer Query Tool gating an operator may have configured.
The defect was originally reported against the Domain Dialog description field; a code-wide audit identified sixteen sites of the same pattern across the templates listed above. The same review also surfaced ten related sinks in the pgstattuple/pgstatindex stats templates – pgstattuple('{{schema}}.{{table}}') and the matching pgstatindex shape – where qtIdent escapes embedded double quotes inside the identifier but not apostrophes, so a user with CREATE privilege on a schema could plant a table or index named foo'bar and a later stats viewer would render an unbalanced literal.
Fix is layered:
Sites: replace every
'{{ x.description }}'with{{ x.description|qtLiteral(conn) }}(no surrounding quotes – the filter wraps the value in escaped quotes itself). Plumbconn=self.connthrough everyrender_templatecall that loads one of these templates. Also corrects a{ % elifJinja typo in the foreign-table schema diff (dead branch). Rewrite the ten pgstattuple/pgstatindex stats sites to address the relation via OID +::oid::regclasscast (e.g.pgstattuple({{ tid }}::oid::regclass)), eliminating the embedded literal-call form entirely so that bug-class can no longer recur there.Driver hardening:
qtLiteral(inutils/driver/psycopg3/__init__.py) used to silently return the raw unescaped value when itsconnargument was falsy. It now raisesValueError– surfacing the entire bug class going forward. The change immediately uncovered eight latent plumbing bugs (inschemas/__init__.py,schemas/functions/__init__.py,schemas/tables/utils.py,foreign_servers/__init__.py, and seven sites inroles/__init__.py) – all fixed as part of this patch. The innerexceptblock that swallowed adapter-level failures and returned the raw value is also removed, so unadaptable inputs raise instead of leaking unescaped values.Regression tests: a per-template behavioural test renders each previously-vulnerable template with an apostrophe-injection payload and asserts the escaped fragment is present and the vulnerable fragment absent; a lint test walks every
*.sqltemplate flagging any'{{ ... }}'single-quote-wrapped interpolation against an explicit allowlist; unit tests cover the new qtLiteral fail-fast and inner-except raise paths.
This issue affects pgAdmin 4: from 1.0 before 9.16.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pgadmin.org | pgAdmin 4 | 1.0 < 9.16 | affected |
Weaknesses
- CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE-116: CWE-116 Improper Encoding or Escaping of Output
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/pgadmin-org/pgadmin4/issues/10078
- https://github.com/pgadmin-org/pgadmin4/commit/658bb585d
- https://github.com/pgadmin-org/pgadmin4/commit/2ae0d3610
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.