CVE-2026-7816: pgAdmin 4: OS command injection vulnerability in Import/Export query export

May 11, 2026 (updated June 8, 2026)

OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.

User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject “) TO PROGRAM ‘cmd’” to break out of the \copy (…) context and achieve arbitrary command execution on the pgAdmin server, or “) TO ‘/path’” for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.

Fix adds a parens-balance parser modeled on psql’s strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.

This issue affects pgAdmin 4: before 9.15.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-7816 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →