Three Critical pgAdmin 4 Vulnerabilities Patched: XSS, Auth Bypass, and AI Assistant SQLi
Do Son 
- Product: pgadmin.org pgAdmin 4
- Vulnerabilities: 3 flaws (CVE-2026-12048, CVE-2026-12046, CVE-2026-12045)
- Highest severity: 9.5 (Critical · CVSSv4)
- Worst impact: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution
- Status: No confirmed exploitation yet; patches available
- Action: Update to 9.16 now
| CVE | CVSS (CVSSv4) | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-12046 | 9.5 | Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution | 9.16 | Not exploited |
| CVE-2026-12045 | 9.4 | AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution | 9.16 | Not exploited |
| CVE-2026-12048 | 9.3 | Stored XSS via untrusted error and plan-node text rendered through html-react-parser | 9.16 | Not exploited |
Database administrators have urgent patching to do. The pgAdmin team has fixed three critical pgAdmin 4 vulnerabilities, all rated above CVSS 9.0. Together, they expose the popular PostgreSQL management tool to cross-site scripting, code execution, and SQL abuse. Notably, version 9.16 closes every one of them.
Why It Matters
pgAdmin is the go-to graphical tool for PostgreSQL worldwide. So these flaws reach a huge base of developers and admins. Many teams run it in shared, server-mode deployments. That setup widens the potential blast radius considerably.
Stored XSS Inside the Interface
The first flaw is CVE-2026-12048, a stored XSS bug scoring CVSS 9.3. It lives in how pgAdmin renders error messages and Explain plan nodes. Essentially, text returned by a PostgreSQL server passed through unsanitized. Even a low-privilege user who creates a cleverly named table could plant the payload. Therefore, a malicious server could inject HTML, including an iframe, straight into the pgAdmin DOM.
That makes the attack especially sneaky. Because the injection starts inside pgAdmin itself, frame-blocking headers offer no defense. As a result, a phishing page can look identical to a genuine pgAdmin dialog. The fix wraps DOMPurify around the vulnerable rendering paths.
A Missing Lock on Two Endpoints
Next comes CVE-2026-12046, the highest-rated of the trio at CVSS 9.5. Two SQL Editor endpoints were missing the login-required decorator. Consequently, in server mode they could be reached without authentication. The issue pairs a missing-authentication flaw (CWE-306) with insecure deserialization (CWE-502).
However, full remote code execution is not automatic. An attacker also needs pgAdmin‘s secret key and write access to its session directory. In other words, this flaw is the final hop after a separate compromise. A one-line decorator on each endpoint now blocks unauthenticated requests.
When the AI Assistant Breaks Its Own Rules
The third bug, CVE-2026-12045, targets pgAdmin’s AI Assistant and scores CVSS 9.4. The assistant runs generated SQL inside a read-only transaction for safety. Yet a crafted multi-statement payload could close that transaction early. Then later statements ran in autocommit mode.
Delivery happens through prompt injection. So an attacker who plants text in a database object can steer the assistant. With write privileges, they could modify data. With superuser rights, the chain reaches command execution through COPY TO PROGRAM. This makes it a textbook prompt-injection risk for AI-enabled database tools. The patch now allows only single, read-only statements.
Patch Without Delay
Release 9.16 resolves all three pgAdmin 4 vulnerabilities. Given the severity scores, administrators should upgrade quickly. There is no evidence of active exploitation yet, but the fixes are now public. You can grab the latest build from the official pgAdmin download page. Above all, treat database servers and AI-assistant inputs as untrusted.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
