CVE-2026-7815: SQL injection vulnerability in pgAdmin 4 Maintenance Tool

May 11, 2026 (updated May 18, 2026)

SQL injection vulnerability in pgAdmin 4 Maintenance Tool.

Four user-supplied JSON fields (buffer_usage_limit, vacuum_parallel, vacuum_index_cleanup, reindex_tablespace) were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql –command. An authenticated user with the tools_maintenance permission could break out of the option syntax and execute arbitrary SQL on the connected PostgreSQL server. The injected SQL could in turn invoke COPY … TO PROGRAM to escalate to operating-system command execution on the database host.

Fix introduces server-side allow-listing of all four fields and switches reindex_tablespace from manual quoting to the qtIdent filter.

This issue affects pgAdmin 4: before 9.15.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-7815 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →