pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features
Cybersecurity NewsArchived Jun 22, 2026✓ Full text saved
pgAdmin 4 version 9.16 has been released, delivering a combination of new features, bug fixes, and critical security updates to strengthen the widely used PostgreSQL management platform. The update includes 64 bug fixes and addresses seven security vulnerabilities, tracked as CVE-2026-12044 through CVE-2026-12050. pgAdmin remains one of the most popular open-source graphical tools for managing […] The post pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features appeared
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
pgAdmin 4 Released With Fixes for Seven Security Vulnerabilities and New Features
By Abinaya
June 22, 2026
pgAdmin 4 version 9.16 has been released, delivering a combination of new features, bug fixes, and critical security updates to strengthen the widely used PostgreSQL management platform.
The update includes 64 bug fixes and addresses seven security vulnerabilities, tracked as CVE-2026-12044 through CVE-2026-12050.
pgAdmin remains one of the most popular open-source graphical tools for managing PostgreSQL databases, making these security fixes particularly important for enterprise and cloud deployments where the platform is commonly used for administrative access.
A major highlight of this release is the remediation of multiple high-impact vulnerabilities, including SQL injection flaws and cross-site scripting issues.
One of the most critical vulnerabilities, CVE-2026-12044, involved SQL injection across sixteen dialog templates where user-controlled input was improperly handled.
This flaw has now been mitigated by switching to safer query handling methods and proper casting mechanisms.
Another severe issue, tracked as CVE-2026-12045, allowed attackers to bypass read-only transaction restrictions in the AI Assistant feature.
pgAdmin 4 Released
By exploiting prompt injection, attackers could execute multi-statement payloads and potentially achieve remote code execution through PostgreSQL’s “COPY TO PROGRAM” capability when connected with elevated privileges.
Authentication and access control weaknesses were also addressed. CVE-2026-12046 exposed two SQL Editor endpoints that lacked proper authentication checks.
Allowing unauthorized access and introducing a deserialization risk. The fix ensures that all endpoints now enforce required login validation.
Several client-side vulnerabilities were also resolved. CVE-2026-12048, a critical stored cross-site scripting issue, allowed malicious scripts embedded in PostgreSQL error messages or query plans to execute within the pgAdmin interface.
This could lead to credential theft and unauthorized database operations across active connections.
Additionally, CVE-2026-12047 fixed an HTML injection issue in cloud deployment integrations where unsanitized SDK error messages were rendered in the browser.
The release also fixes an open redirect vulnerability in multi-factor authentication flows (CVE-2026-12049) and another SQL injection flaw in the restore point functionality (CVE-2026-12050), both of which allowed user input to be inserted into SQL queries without proper parameterization.
Beyond security, pgAdmin 4 v9.16 introduces several usability enhancements. Users can now colorize panel and tab headers based on the connected server, making multi-server management more intuitive.
A middle-click tab-closing feature has been added, along with improvements to OAuth2 login customization and password reset navigation.
Additional updates include support for new PostgreSQL storage parameters, improvements to JSON handling, and dependency upgrades, including Electron 42.3.3 and updated cryptography libraries.
The Helm chart now allows configurable container security contexts, improving deployment flexibility in Kubernetes environments.
The release also enforces stricter access controls by removing a previously identified administrator role bypass. It aligns SQL templates with PostgreSQL 14, the oldest supported version.
Regarding deprecations, pgAgent has been officially marked for removal, and users are advised to migrate to alternative job scheduling solutions within the coming months.
pgAdmin 4 version 9.16 is now available for download across multiple platforms, including Windows, macOS, Linux packages, Docker containers, and Python distributions.
Organizations are strongly encouraged to upgrade promptly to mitigate the risk posed by these vulnerabilities and benefit from the latest improvements.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
CISA Urges Hardening Fortinet Devices Following FortiBleed Attack
Hackers Abuse Steam Workshop Application Wallpapers to Hijack Active Steam Sessions
Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks
HazyBeacon Weaponizes AWS Lambda Function URLs for Stealth Command-and-Control Relays
Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic
Latest News
Cyber Security News
Chinese Cyber Contractors Use Malware, Botnets, and Stolen Data to Enable State Operations
Cyber Security News
North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines
Cyber Security
13-Word Reddit Comment Can Poison ChatGPT and Gemini AI Search Results
Cyber Security News
Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware
Cyber Security News
Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script