CVE-2026-12045

Published Jun 19, 2026

Last updated 4 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-12045 describes a read-only transaction bypass vulnerability found in the AI Assistant feature of pgAdmin 4, affecting versions from 9.13 before 9.16. An attacker capable of influencing database content that the AI Assistant reads can exploit this flaw through prompt injection. This allows the attacker to execute arbitrary SQL queries with the privileges of the pgAdmin user's database role. The vulnerability arises because the AI Assistant's `execute_sql_query` tool, designed to run LLM-generated SQL within a `BEGIN TRANSACTION READ ONLY` wrapper, did not adequately restrict the LLM-supplied query. A multi-statement payload starting with transaction-ending commands like `COMMIT`, `END`, `ROLLBACK`, or `ABORT` could terminate the read-only transaction, causing subsequent statements to run in autocommit mode. If the pgAdmin user holds superuser privileges, this can be escalated to remote code execution on the database server via `COPY ... TO PROGRAM`.

Description: Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database content that the assistant reads to execute arbitrary SQL with the privileges of the pgAdmin user's database role. The AI Assistant's execute_sql_query tool runs LLM-generated SQL inside a BEGIN TRANSACTION READ ONLY wrapper to prevent data modification. The LLM-supplied query was forwarded to the database driver without restriction to a single statement or to read-only verbs, so a multi-statement payload beginning with COMMIT, END, ROLLBACK, or ABORT terminated the read-only transaction and ran subsequent statements in autocommit mode. The trailing ROLLBACK then had no effect. Delivery is via prompt injection: an attacker who can write content into any object the AI Assistant may inspect (a row, a column value, a comment) can cause the LLM to emit the multi-statement payload as a tool call. With ordinary write privileges on the pgAdmin user's role the attacker can perform unauthorised data modification. When the pgAdmin user's role is a PostgreSQL superuser or holds pg_execute_server_program, the chain extends to remote code execution on the database server host via COPY ... TO PROGRAM. Fix validates the LLM-supplied query up front: it must parse to exactly one non-empty / non-comment statement whose leading real token (after stripping whitespace, comments, and punctuation) is one of SELECT, WITH, EXPLAIN, SHOW, VALUES, or TABLE. Transaction-control verbs, DML, DDL, CALL, COPY, DO, SET/RESET, and everything else are rejected before any database work happens. PostgreSQL's READ ONLY mode continues to backstop data-modifying CTEs, EXPLAIN ANALYZE on writes, and volatile side effects. This issue affects pgAdmin 4: from 9.13 before 9.16.
Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD status: Received

Risk scores

CVSS 4.0

Type: Secondary
Base score: 9.4
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: CRITICAL

CVSS 3.1

Type: Secondary
Base score: 9
Impact score: 6
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007: CWE-77

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 9

References

Sources include official advisories and independent security research.