Critical Vulnerabilities in pgAdmin 4 Expose Databases to Remote Code Execution

pgAdmin 4 version 9.16 was released to patch seven vulnerabilities, including critical issues tracked as CVE-2026-12044 to CVE-2026-12050. These vulnerabilities could allow attackers to execute arbitrary commands, gain unauthorized access, or inject malicious scripts. Notably, CVE-2026-12045 allows remote code execution through a read-only transaction bypass, while CVE-2026-12046 exposes unauthenticated endpoints. CVE-2026-12048 presents a stored cross-site scripting risk that can lead to credential theft. The vulnerabilities affect a wide range of PostgreSQL database deployments, necessitating immediate updates. The Centre for Cybersecurity Belgium has issued advisories urging organizations to prioritize patching. The release also includes 64 bug fixes and usability enhancements.

Key Points: • pgAdmin 4 version 9.16 fixes seven critical vulnerabilities, including remote code execution risks. • CVE-2026-12045 allows attackers to bypass read-only transactions and execute commands. • Immediate patching is recommended due to the potential for unauthorized access and credential theft.