{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-12045","assignerOrgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","state":"PUBLISHED","assignerShortName":"PostgreSQL","dateReserved":"2026-06-11T20:40:06.461Z","datePublished":"2026-06-18T23:37:35.182Z","dateUpdated":"2026-06-23T03:55:43.509Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","shortName":"PostgreSQL","dateUpdated":"2026-06-18T23:37:35.182Z"},"title":"pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution","affected":[{"vendor":"pgadmin.org","product":"pgAdmin 4","repo":"https://github.com/pgadmin-org/pgadmin4","modules":["AI Assistant","LLM Tools"],"programFiles":["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/llm/tools/database.py"],"versions":[{"status":"affected","version":"9.13","lessThan":"9.16","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.\n\nThe AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.\n\nDelivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM.\n\nFix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.\n\nThis issue affects pgAdmin 4: from 9.13 before 9.16."}],"references":[{"url":"https://github.com/pgadmin-org/pgadmin4/issues/10022","tags":["issue-tracking"]},{"url":"https://github.com/pgadmin-org/pgadmin4/commit/bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"Threat model: indirect prompt injection. An attacker with low-privilege DB write access plants a payload in any object the AI Assistant might read (table row, column value, comment). When a pgAdmin user with a higher-privilege role (typically PostgreSQL superuser or holder of pg_execute_server_program) opens the AI Assistant against that content, the LLM emits the multi-statement payload as a tool call. The crafted payload uses COMMIT / END / ROLLBACK / ABORT to close the wrapping read-only transaction, then COPY ... TO PROGRAM to gain OS code execution on the DB host.\n\nS:C is earned by the confused-deputy pattern: the attacker is not the LLM user; third-party DB content steers the user's LLM session to execute writes the user did not authorise. This does *not* score the user self-jailbreaking their own assistant -- only the indirect-injection vector.\n\nAlternative: AC:H (-> 8.0 HIGH) is defensible given LLM non-determinism (the payload doesn't fire every invocation) and the superuser-victim precondition. The 9.0 figure is the optimistic end of the range."}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"CRITICAL","baseScore":9,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"Same reasoning as the CVSS 3.1 entry: indirect prompt injection, third-party content drives the user's LLM session, COPY ... TO PROGRAM reaches the DB host. VC:H/VI:H/VA:H + SC:H/SI:H/SA:H since RCE on the DB host compromises both pgAdmin's authority and the downstream system. UI:P captures that the user merely uses the AI Assistant normally; the attacker does not direct any specific user action."}],"cvssV4_0":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","baseScore":9.4,"baseSeverity":"CRITICAL"}}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","cweId":"CWE-89","type":"CWE"},{"lang":"en","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')","cweId":"CWE-77","type":"CWE"}]}],"credits":[{"lang":"en","value":"Isaac Chen <isaac9503@gmail.com>","type":"finder"},{"lang":"en","value":"Dave Page <page@pgadmin.org>","type":"remediation developer"},{"lang":"en","value":"Kundan Sable <kundan.sable@enterprisedb.com>","type":"remediation reviewer"}],"source":{"discovery":"EXTERNAL"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-22T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-12045"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-23T03:55:43.509Z"}}]}}