CVE-2026-12045
CriticalCVSS 9.0Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A vulnerability in the pgAdmin 4 AI Assistant allows an attacker who can influence database content read by the assistant to execute arbitrary SQL with the privileges of the pgAdmin user's database role. The flaw stems from missing validation of LLM-generated queries, enabling bypass of read-only mode via injection of commands like COMMIT or ROLLBACK.
Risk Assessment
An attacker with write privileges on the database can perform unauthorized data modification, and if the pgAdmin user is a PostgreSQL superuser or has pg_execute_server_program privilege, remote code execution on the database server host is possible.
Recommendation
Upgrade pgAdmin 4 to version 9.16 or later immediately, which includes a fix that validates LLM-supplied queries before execution.
Original NVD description (English source)
Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role. The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect. Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM. Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects. This issue affects pgAdmin 4: from 9.13 before 9.16.

