Critical pgAdmin Flaws (CVE-2025-12762, CVSS 9.1) Allow Remote Code Execution via PostgreSQL Dump Files

The pgAdmin development team has issued patches addressing four newly disclosed security vulnerabilities impacting pgAdmin versions up to 9.9, including a critical Remote Code Execution (RCE) flaw that could allow attackers to run arbitrary commands on affected servers.

pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.

Critical Remote Code Execution – CVE-2025-12762 (CVSS 9.1)

The most severe issue affects pgAdmin running in server mode, specifically during restore operations involving PLAIN-format PostgreSQL dump files.

The advisory warns that pgAdmin versions “up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files.”

Attackers can craft malicious dump files that inject system-level commands, allowing full compromise of the host, “This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.”

Command Injection on Windows – CVE-2025-12763 (CVSS 6.8)

A second flaw affects Windows installations of pgAdmin 4, stemming from unsafe shell parameter usage during backup and restore actions.

According to the report,  “pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems… caused by the use of shell=True during backup and restore operations.”

Attackers who supply specially crafted file paths can force pgAdmin to execute arbitrary Windows system commands.

LDAP Injection – CVE-2025-12764 (CVSS 7.5)

The third vulnerability concerns deployments using LDAP authentication. The advisory states,  “pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username.”

By inserting malicious characters into the LDAP username field, attackers can cause both the domain controller and the client to process excessive or malformed data, resulting in a Denial-of-Service (DoS) condition.

TLS Certificate Verification Bypass – CVE-2025-12765 (CVSS 7.5)

A separate flaw in the LDAP authentication mechanism allows attackers to bypass certificate validation entirely.

According to the advisory, “pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism [that] allows bypassing TLS certificate verification.”

If exploited, an attacker could intercept or alter communications between pgAdmin and the LDAP server, enabling credential theft or man-in-the-middle (MitM) attacks.

All Versions Up to 9.9 Affected — Immediate Updates Recommended

Because all four vulnerabilities impact pgAdmin versions ≤ 9.9, administrators are urged to update immediately to the latest secure release (v9.10). Organizations using pgAdmin in enterprise settings, especially with LDAP-enabled authentication or Windows environments, face heightened risk.

Related Posts:

• PgAdmin Flaw Exposes Accounts to OAuth Hijacking Attacks
• pgAdmin 4 Vulnerabilities Expose Databases to Remote Code Execution and XSS
• CVE-2024-3116: Critical pgAdmin Vulnerability Exposes Databases to Remote Attacks
• CVE-2024-2044: pgAdmin Remote Code Execution Vulnerability
• CVE-2023-5002: pgAdmin remote code execution vulnerability