CVE-2026-7814 Overview
CVE-2026-7814 is a stored cross-site scripting (XSS) vulnerability in pgAdmin 4, affecting the Browser Tree and Explain Visualizer modules. The flaw exists in versions of pgAdmin 4 before 9.15. User-controlled PostgreSQL object names — including database, schema, table, and column identifiers — were assigned to DOM elements using innerHTML. An authenticated database user can craft object names containing HTML markup that executes attacker-supplied JavaScript in the browser of any pgAdmin user who navigates to or runs EXPLAIN over the malicious object. The vulnerability is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers with privileges to create or rename PostgreSQL objects can execute arbitrary JavaScript in the session of any pgAdmin user who browses the affected database.
Affected Products
- pgAdmin 4 versions before 9.15
- pgAdmin 4 Browser Tree module
- pgAdmin 4 Explain Visualizer module
Discovery Timeline
- 2026-05-11 - CVE-2026-7814 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7814
Vulnerability Analysis
The vulnerability resides in client-side rendering logic within pgAdmin 4's web interface. The Browser Tree displays PostgreSQL objects retrieved from the connected database server. The Explain Visualizer renders the output of EXPLAIN query plans. Both modules assigned object names directly to DOM nodes through the innerHTML property without prior HTML escaping.
Because PostgreSQL permits a wide range of characters inside quoted identifiers, an attacker can create objects whose names contain HTML tags or <script> payloads. When pgAdmin renders the object name, the browser parses the embedded markup and executes any included JavaScript. The payload runs with the privileges of the victim's pgAdmin session, enabling theft of session tokens, manipulation of the pgAdmin UI, and execution of authenticated requests against connected databases.
Root Cause
The root cause is unsafe DOM injection. The affected code paths used element.innerHTML = name instead of element.textContent = name. innerHTML parses its assigned string as HTML, while textContent treats the value as literal text. The upstream fix replaces innerHTML with textContent in the affected components.
Attack Vector
Exploitation requires an attacker to have permission to create or rename PostgreSQL objects on a server managed through pgAdmin. The attacker creates an object — for example, a table or column — whose identifier embeds an HTML payload. User interaction is required: a pgAdmin user must navigate the Browser Tree to the malicious object or run EXPLAIN on a query referencing it. Because the payload is persisted in database metadata, the attack is stored and triggers automatically on later sessions.
No verified public exploit is available. See the GitHub Pull Request for the upstream fix and the GitHub Issue Report for additional context.
Detection Methods for CVE-2026-7814
Indicators of Compromise
- PostgreSQL object names containing HTML metacharacters such as <, >, ", or strings resembling <script>, <img, or onerror=.
- Unexpected outbound network requests from pgAdmin user browsers to attacker-controlled domains.
- pgAdmin session activity originating from IP addresses or user agents inconsistent with the legitimate operator.
Detection Strategies
- Audit PostgreSQL catalogs (pg_class, pg_namespace, pg_attribute) for identifiers containing angle brackets or script-like tokens.
- Inspect pgAdmin server logs for object enumeration requests that immediately precede anomalous activity from administrator accounts.
- Review browser Content Security Policy (CSP) violation reports if CSP is enforced in front of pgAdmin.
Monitoring Recommendations
- Monitor PostgreSQL DDL events such as CREATE TABLE, CREATE SCHEMA, and ALTER ... RENAME for identifiers with unusual characters.
- Alert on creation of database objects by accounts that do not normally perform schema changes.
- Capture HTTP traffic from pgAdmin instances and flag responses containing object names with embedded HTML.
How to Mitigate CVE-2026-7814
Immediate Actions Required
- Upgrade pgAdmin 4 to version 9.15 or later on every server, desktop, and container deployment.
- Identify and rename any PostgreSQL objects whose names contain HTML markup before reopening pgAdmin against the affected database.
- Restrict CREATE and ALTER privileges on shared PostgreSQL instances to trusted roles only.
Patch Information
The fix replaces innerHTML with textContent in the Browser Tree and Explain Visualizer modules, ensuring object names render as literal text. The patch is included in pgAdmin 4 release 9.15. Patch details are available in the pgAdmin 4 Pull Request #9865.
Workarounds
- Limit pgAdmin access to PostgreSQL servers where only trusted administrators hold object creation privileges.
- Avoid browsing or running EXPLAIN against untrusted databases using vulnerable pgAdmin versions.
- Deploy a reverse proxy in front of pgAdmin that enforces a strict Content Security Policy disallowing inline script execution.
# Configuration example: upgrade pgAdmin 4 via pip
pip install --upgrade "pgadmin4>=9.15"
# Or pull the patched container image
docker pull dpage/pgadmin4:9.15
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
