{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7816","assignerOrgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","state":"PUBLISHED","assignerShortName":"PostgreSQL","dateReserved":"2026-05-04T21:26:58.164Z","datePublished":"2026-05-11T14:35:50.827Z","dateUpdated":"2026-05-11T16:08:46.148Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","shortName":"PostgreSQL","dateUpdated":"2026-05-11T14:35:50.827Z"},"title":"pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout","datePublic":"2026-05-11T10:30:00.000Z","affected":[{"vendor":"pgadmin.org","product":"pgAdmin 4","repo":"https://github.com/pgadmin-org/pgadmin4","modules":["Import/Export Tool"],"programFiles":["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/tools/import_export/__init__.py"],"versions":[{"status":"affected","version":"9.4","lessThan":"9.15","versionType":"custom"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.\n\nUser-supplied input was interpolated directly into a psql \\copy metacommand template without sanitization. An authenticated user could inject \") TO PROGRAM 'cmd'\" to break out of the \\copy (...) context and achieve arbitrary command execution on the pgAdmin server, or \") TO '/path'\" for arbitrary file write. Additional fields (format, on_error, log_verbosity) were also raw-interpolated and exploitable.\n\nFix adds a parens-balance parser modeled on psql's strtokx tokenizer, allow-lists format/on_error/log_verbosity, rejects null bytes in the query, and tightens type and gating checks.\n\nThis issue affects pgAdmin 4: before 9.15."}],"references":[{"url":"https://github.com/pgadmin-org/pgadmin4/issues/9899","tags":["issue-tracking"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"Authenticated pgAdmin user with tools_import_export permission. Command execution occurs in the pgAdmin process, which is the same security authority as the application itself; S:U reflects no scope change. Whether this is a privilege escalation depends on whether the attacker had other shell access to the pgAdmin host."}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":8.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"Authenticated pgAdmin user with tools_import_export permission. Command execution occurs in the pgAdmin process, which is the same security authority as the application itself; S:U reflects no scope change. Whether this is a privilege escalation depends on whether the attacker had other shell access to the pgAdmin host."}],"cvssV4_0":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":8.7,"baseSeverity":"HIGH"}}],"credits":[{"lang":"en","type":"finder","value":"Chung Kim (chungkn), OneMount Group"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-89","lang":"en","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T16:08:21.423663Z","id":"CVE-2026-7816","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T16:08:46.148Z"}}]}}