{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12045", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2026-06-11T20:40:06.461Z", "datePublished": "2026-06-18T23:37:35.182Z", "dateUpdated": "2026-06-23T03:55:43.509Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-06-18T23:37:35.182Z"}, "title": "pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution", "affected": [{"vendor": "pgadmin.org", "product": "pgAdmin 4", "repo": "https://github.com/pgadmin-org/pgadmin4", "modules": ["AI Assistant", "LLM Tools"], "programFiles": ["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/llm/tools/database.py"], "versions": [{"status": "affected", "version": "9.13", "lessThan": "9.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.\n\nThe AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.\n\nDelivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM.\n\nFix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.\n\nThis issue affects pgAdmin 4: from 9.13 before 9.16."}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/10022", "tags": ["issue-tracking"]}, {"url": "https://github.com/pgadmin-org/pgadmin4/commit/bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "Threat model: indirect prompt injection. An attacker with low-privilege DB write access plants a payload in any object the AI Assistant might read (table row, column value, comment). When a pgAdmin user with a higher-privilege role (typically PostgreSQL superuser or holder of pg_execute_server_program) opens the AI Assistant against that content, the LLM emits the multi-statement payload as a tool call. The crafted payload uses COMMIT / END / ROLLBACK / ABORT to close the wrapping read-only transaction, then COPY ... TO PROGRAM to gain OS code execution on the DB host.\n\nS:C is earned by the confused-deputy pattern: the attacker is not the LLM user; third-party DB content steers the user's LLM session to execute writes the user did not authorise. This does *not* score the user self-jailbreaking their own assistant -- only the indirect-injection vector.\n\nAlternative: AC:H (-> 8.0 HIGH) is defensible given LLM non-determinism (the payload doesn't fire every invocation) and the superuser-victim precondition. The 9.0 figure is the optimistic end of the range."}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "Same reasoning as the CVSS 3.1 entry: indirect prompt injection, third-party content drives the user's LLM session, COPY ... TO PROGRAM reaches the DB host. VC:H/VI:H/VA:H + SC:H/SI:H/SA:H since RCE on the DB host compromises both pgAdmin's authority and the downstream system. UI:P captures that the user merely uses the AI Assistant normally; the attacker does not direct any specific user action."}], "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 9.4, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}, {"lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "cweId": "CWE-77", "type": "CWE"}]}], "credits": [{"lang": "en", "value": "Isaac Chen <isaac9503@gmail.com>", "type": "finder"}, {"lang": "en", "value": "Dave Page <page@pgadmin.org>", "type": "remediation developer"}, {"lang": "en", "value": "Kundan Sable <kundan.sable@enterprisedb.com>", "type": "remediation reviewer"}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-12045"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T03:55:43.509Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12045", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-22T19:12:05.335738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T19:12:19.078Z"}}], "cna": {"title": "pgAdmin 4: AI Assistant read-only transaction bypass allows unauthorised writes and remote code execution", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Isaac Chen <isaac9503@gmail.com>"}, {"lang": "en", "type": "remediation developer", "value": "Dave Page <page@pgadmin.org>"}, {"lang": "en", "type": "remediation reviewer", "value": "Kundan Sable <kundan.sable@enterprisedb.com>"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "Threat model: indirect prompt injection. An attacker with low-privilege DB write access plants a payload in any object the AI Assistant might read (table row, column value, comment). When a pgAdmin user with a higher-privilege role (typically PostgreSQL superuser or holder of pg_execute_server_program) opens the AI Assistant against that content, the LLM emits the multi-statement payload as a tool call. The crafted payload uses COMMIT / END / ROLLBACK / ABORT to close the wrapping read-only transaction, then COPY ... TO PROGRAM to gain OS code execution on the DB host.\n\nS:C is earned by the confused-deputy pattern: the attacker is not the LLM user; third-party DB content steers the user's LLM session to execute writes the user did not authorise. This does *not* score the user self-jailbreaking their own assistant -- only the indirect-injection vector.\n\nAlternative: AC:H (-> 8.0 HIGH) is defensible given LLM non-determinism (the payload doesn't fire every invocation) and the superuser-victim precondition. The 9.0 figure is the optimistic end of the range."}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}, "scenarios": [{"lang": "en", "value": "Same reasoning as the CVSS 3.1 entry: indirect prompt injection, third-party content drives the user's LLM session, COPY ... TO PROGRAM reaches the DB host. VC:H/VI:H/VA:H + SC:H/SI:H/SA:H since RCE on the DB host compromises both pgAdmin's authority and the downstream system. UI:P captures that the user merely uses the AI Assistant normally; the attacker does not direct any specific user action."}]}], "affected": [{"repo": "https://github.com/pgadmin-org/pgadmin4", "vendor": "pgadmin.org", "modules": ["AI Assistant", "LLM Tools"], "product": "pgAdmin 4", "versions": [{"status": "affected", "version": "9.13", "lessThan": "9.16", "versionType": "custom"}], "programFiles": ["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/llm/tools/database.py"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/10022", "tags": ["issue-tracking"]}, {"url": "https://github.com/pgadmin-org/pgadmin4/commit/bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role.\n\nThe AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect.\n\nDelivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM.\n\nFix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects.\n\nThis issue affects pgAdmin 4: from 9.13 before 9.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}, {"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-06-18T23:37:35.182Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12045", "state": "PUBLISHED", "dateUpdated": "2026-06-23T03:55:43.509Z", "dateReserved": "2026-06-11T20:40:06.461Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2026-06-18T23:37:35.182Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "pgadmin4: pgAdmin 4: Remote code execution via prompt injection in AI Assistant", "id": "2490625", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490625"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-89", "details": ["A flaw was found in the pgAdmin 4 AI Assistant. An attacker with the ability to influence database content that the assistant reads can exploit a transaction bypass vulnerability through prompt injection. This allows the attacker to execute arbitrary SQL queries with the privileges of the pgAdmin user's database role. If the pgAdmin user has superuser privileges, this can lead to remote code execution on the database server."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-12045", "public_date": "2026-06-18T23:37:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-12045\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-12045\nhttps://github.com/pgadmin-org/pgadmin4/commit/bf4792444446f0e7ab721d23cbd6bfe6afaa7a8b\nhttps://github.com/pgadmin-org/pgadmin4/issues/10022"], "statement": "This Important flaw in the pgAdmin 4 AI Assistant allows an attacker to bypass read-only transaction protections through prompt injection. By influencing database content that the assistant reads, an attacker can execute arbitrary SQL queries with the privileges of the pgAdmin user's database role. This can escalate to remote code execution on the database server if the pgAdmin user holds superuser privileges, posing a significant risk to data integrity and system control.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.13,9.16)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "pgAdmin 4", "source": "cna", "vendor": "pgadmin.org"}, "product": "pgadmin_4", "vendor": "pgadmin"}], "created": "2026-06-19T01:30:16.172169+00:00", "updated": "2026-06-24T20:30:04.382929+00:00", "vendors": ["pgadmin", "pgadmin$PRODUCT$pgadmin_4"]}