HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12045Published Modified CNA PostgreSQL

CVE-2026-12045: pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution

Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role. The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect. Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM. Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects. This issue affects pgAdmin 4: from 9.13 before 9.16.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
9.16
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A read-only transaction bypass vulnerability in pgAdmin 4's AI Assistant (versions 9.13 through before 9.16) allows an attacker with low-privilege database write access to execute arbitrary SQL as the pgAdmin user's database role. The attack is delivered over the network via prompt injection: malicious content placed in any database object the AI Assistant reads causes the LLM to emit a multi-statement payload that escapes the READ ONLY transaction wrapper. Successful exploitation enables unauthorized data modification and, when the pgAdmin role is a superuser or holds pg_execute_server_program, full remote code execution on the database server host. A patched-image rebuild at pgAdmin 4 version 9.16 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12045 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle pgAdmin 4. Any image containing pgAdmin 4 between versions 9.13 and 9.16 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.4 (Critical) using the published v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticket queue configured for the relevant team within each customer organization.

Available
Patch

A patched-image rebuild at pgAdmin 4 version 9.16 becomes available through HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the pgAdmin 4 service over the network to deliver the prompt-injection payload through database content the AI Assistant reads.

  • AuthenticationRequired

    The attacker must hold at least a low-privilege account with write access to any database object the AI Assistant may inspect; no higher privilege is needed to initiate the bypass.

  • Victim interactionRequired

    A pgAdmin user must trigger the AI Assistant to read the attacker-controlled content, causing the LLM to emit the malicious multi-statement tool call.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once the attacker can place content in a readable database object; no race conditions or special memory-layout requirements apply.

Blast Radius

  • Reads any data accessible to the pgAdmin user's database role, including table rows, column values, and stored credentials.
  • Modifies or deletes persisted database rows and schema objects without authorization.
  • When the pgAdmin role is a PostgreSQL superuser or holds pg_execute_server_program, executes arbitrary operating system commands on the database server host via COPY ... TO PROGRAM.
  • Cascading compromise of downstream systems is possible if the database server host or its credentials are used as a trust anchor in the broader infrastructure.

How HarborGuard Handles This

Available on HarborGuard: images containing pgAdmin 4 versions 9.13 through 9.15 are matched against CVE-2026-12045 within minutes of the advisory entering upstream feeds, covering images in customer registries and CI pipelines alike, including custom builds. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at version 9.16, runs regression tests, and opens a pull request against affected workloads; for critical-severity issues, median time from publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, the CVE surfaces in the HarborGuard dashboard with CVSS 9.4 Critical severity and routing to the configured owner. As an interim compensating control while upgrade is in progress, consider restricting network access to the pgAdmin instance to trusted hosts only and auditing which database roles used by pgAdmin hold superuser or pg_execute_server_program privileges.

See how HarborGuard automates this

Fix available

9.16
Patch commits
Affected packages
  • pgadmin.org / pgAdmin 4
    < 9.16 (from 9.13)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References