pgAdmin 4 version 9.16 has been released, delivering a combination of new features, bug fixes, and critical security updates to strengthen the widely used PostgreSQL management platform.
The update includes 64 bug fixes and addresses seven security vulnerabilities, tracked as CVE-2026-12044 through CVE-2026-12050.
pgAdmin remains one of the most popular open-source graphical tools for managing PostgreSQL databases, making these security fixes particularly important for enterprise and cloud deployments where the platform is commonly used for administrative access.
A major highlight of this release is the remediation of multiple high-impact vulnerabilities, including SQL injection flaws and cross-site scripting issues.
One of the most critical vulnerabilities, CVE-2026-12044, involved SQL injection across sixteen dialog templates where user-controlled input was improperly handled.
This flaw has now been mitigated by switching to safer query handling methods and proper casting mechanisms.
Another severe issue, tracked as CVE-2026-12045, allowed attackers to bypass read-only transaction restrictions in the AI Assistant feature.
pgAdmin 4 Released
By exploiting prompt injection, attackers could execute multi-statement payloads and potentially achieve remote code execution through PostgreSQL’s “COPY TO PROGRAM” capability when connected with elevated privileges.
Authentication and access control weaknesses were also addressed. CVE-2026-12046 exposed two SQL Editor endpoints that lacked proper authentication checks.
Allowing unauthorized access and introducing a deserialization risk. The fix ensures that all endpoints now enforce required login validation.
Several client-side vulnerabilities were also resolved. CVE-2026-12048, a critical stored cross-site scripting issue, allowed malicious scripts embedded in PostgreSQL error messages or query plans to execute within the pgAdmin interface.
This could lead to credential theft and unauthorized database operations across active connections.
Additionally, CVE-2026-12047 fixed an HTML injection issue in cloud deployment integrations where unsanitized SDK error messages were rendered in the browser.
The release also fixes an open redirect vulnerability in multi-factor authentication flows (CVE-2026-12049) and another SQL injection flaw in the restore point functionality (CVE-2026-12050), both of which allowed user input to be inserted into SQL queries without proper parameterization.
Beyond security, pgAdmin 4 v9.16 introduces several usability enhancements. Users can now colorize panel and tab headers based on the connected server, making multi-server management more intuitive.
A middle-click tab-closing feature has been added, along with improvements to OAuth2 login customization and password reset navigation.
Additional updates include support for new PostgreSQL storage parameters, improvements to JSON handling, and dependency upgrades, including Electron 42.3.3 and updated cryptography libraries.
The Helm chart now allows configurable container security contexts, improving deployment flexibility in Kubernetes environments.
The release also enforces stricter access controls by removing a previously identified administrator role bypass. It aligns SQL templates with PostgreSQL 14, the oldest supported version.
Regarding deprecations, pgAgent has been officially marked for removal, and users are advised to migrate to alternative job scheduling solutions within the coming months.
pgAdmin 4 version 9.16 is now available for download across multiple platforms, including Windows, macOS, Linux packages, Docker containers, and Python distributions.
Organizations are strongly encouraged to upgrade promptly to mitigate the risk posed by these vulnerabilities and benefit from the latest improvements.
