External risk intelligence

pgAdmin 4 AI Assistant SQL Injection via Prompt Injection

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-12045

pgAdmin is a database management tool typically deployed in internal, protected administrative networks. While it may be network-reachable in some enterprise environments, it is not designed to be public-facing and is usually shielded by internal access controls, VPNs, or identity-aware proxies, making public internet exposure uncommon.

SQL Injection

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the pgAdmin 4 AI Assistant could allow unauthorized data modification or even remote code execution. This occurs when an attacker influences data that the AI Assistant reads, causing it to generate malicious SQL commands that bypass transaction restrictions. The primary concern is confirming relevance and exposure within your environment.

  • A flaw lets attackers change data or run code.
  • It affects how the AI Assistant processes database queries.
  • Confirm if your organization uses this tool and is exposed.

Attack Path

How an attacker could exploit the issue

An attacker with the ability to influence data that the pgAdmin AI Assistant inspects can craft a prompt to inject a malicious SQL query. This query can terminate the AI Assistant's read-only transaction, allowing subsequent commands to execute with the privileges of the pgAdmin user's database role, potentially leading to unauthorized data modification or even remote code execution.

  • Attacker can write to inspectable data.
  • Prompt injection triggers SQL execution.
  • Risk of data modification or code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary SQL commands within the pgAdmin user's database role. When the pgAdmin user has elevated privileges, this could lead to remote code execution on the database server.

  • Database credentials and sensitive information.
  • Via prompt injection and SQL injection.
  • Unauthorized data modification and remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for database administration and application security should prioritize addressing this vulnerability. The first practical step is to identify all instances of the affected technology, confirm their accessibility and business criticality, and then locate the accountable owner to plan remediation based on assessed risk.

  • Database and security teams own this.
  • Verify data influence and pgAdmin reachability.
  • Plan and coordinate remediation based on risk.

Supplementary metadata

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is pgAdmin 4 and its AI Assistant?

pgAdmin 4 is a widely used open-source graphical management tool for PostgreSQL databases. It provides a web-based interface for database administrators to manage, query, and monitor their database clusters. The AI Assistant feature is an integrated tool designed to help users generate SQL queries or analyze database content using large language models. Users interact with this assistant to streamline database tasks by providing natural language prompts that the assistant translates into SQL commands.

How does CVE-2026-12045 enable SQL injection?

This vulnerability, classified as CWE-89 and CWE-77, occurs because the AI Assistant fails to restrict the structure of the SQL commands it generates. While it attempts to use a read-only transaction mode, it does not prevent the inclusion of transaction-ending commands like COMMIT or ROLLBACK. An attacker can use prompt injection to trick the AI into outputting these commands, which effectively breaks out of the read-only sandbox and allows the execution of arbitrary, unauthorized SQL statements.

When is an attacker able to trigger this flaw?

The trigger requires the attacker to influence the data that the pgAdmin AI Assistant reads, such as modifying a table row, column value, or database comment that the assistant is asked to analyze. If the assistant does not inspect user-controlled data, it remains unaffected. Simply viewing a database does not trigger the bug; the attacker must successfully write malicious content that the AI Assistant processes as a prompt, leading it to generate the dangerous multi-statement SQL payload.

Is my pgAdmin 4 instance at risk?

Halo Surface Signal suggests risk is unlikely for most because pgAdmin 4 is typically deployed within internal, protected networks and is not meant to be internet-facing. If your instance is shielded by VPNs, identity-aware proxies, or strict internal access controls, the likelihood of an external attacker reaching it to perform prompt injection is significantly reduced. You should prioritize instances that are accessible beyond these standard internal security boundaries.

What should I do to address CVE-2026-12045?

Start by identifying all deployed instances of pgAdmin 4 within your environment to determine which versions fall between 9.13 and 9.16. Once you have a list, work with your database and security teams to assess how these tools are accessed and who has permissions to influence data the assistant might read. Coordinate with your team to plan an upgrade to a version that includes the necessary query validation logic, which ensures only safe, non-modifying SQL statements are permitted.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished