pgAdmin 4 v9.15 Released

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ashesh Vashi <[email protected]>
To: pgadmin-hackers <[email protected]>
Subject: pgAdmin 4 v9.15 Released
Date: Mon, 11 May 2026 19:54:19 +0530
Message-ID: <CAG7mmozi+u=D1y_C=qTWRjAgNjV7YAWvscGo5SBnLXDa_2xJug@mail.gmail.com> (raw)

The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.15.

This release of pgAdmin 4 includes 19 bug fixes and new features. For more
details please see the release notes at:

https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.html

pgAdmin is the leading Open Source graphical management tool for
PostgreSQL. For more information, please see:

https://www.pgadmin.org/

Notable changes in this release include:

*Features:*

   - Allow the Docker container image to run as a non-default user via the
   PUID and PGID environment variables.



*Bugs/Housekeeping:*

   - Fix cross-user data access and shared-server privilege escalation in
   server mode (CVE-2026-7813).
   - Tighten Shared Server feature parity, owner-only field handling, and
   write guards as a follow-up to the data-isolation hardening.
   - Fix stored cross-site scripting (XSS) via crafted PostgreSQL object
   names rendered in the Browser Tree and Explain Visualizer (CVE-2026-7814).
   - Fix SQL injection in the Maintenance tool option values
   (CVE-2026-7815).
   - Fix OS command injection in Import/Export query export (CVE-2026-7816).
   - Fix local-file inclusion and server-side request forgery in the LLM
   API configuration endpoints (CVE-2026-7817).
   - Fix unsafe deserialization in the session manager that could lead to
   remote code execution (CVE-2026-7818). This change also encrypts session
   files at rest using Fernet, restricts session-file and DATA_DIR permissions
   to 0o600, switches the session-digest default from SHA-1 to SHA-256, and
   drops several non-roundtrippable live objects from the session.
   - Fix symlink-based path traversal in the file manager (CVE-2026-7819).
   - Fix account-lockout bypass on Flask-Security's default /login view so
   the locked field is honored on every authentication path (CVE-2026-7820).
   - Use absolute paths for a2enmod and a2enconf in the Debian setup script
   so it works when /usr/sbin is not on PATH.
   - Bump Python and JavaScript runtime/development dependencies, and
   upgrade ESLint to v10.
   - Update the Czech, Italian, Russian, Spanish, and Swedish translations.

*Deprecations:*

   - The BigAnimal cloud deployment integration is deprecated and will be
   removed in the next version of pgAdmin 4.

Builds for Windows and macOS are available now, along with a Python Wheel,
Docker Container, RPM, DEB Package, and source code tarball from:

https://www.pgadmin.org/download/

---

Ashesh Vashi
pgAdmin Project

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: pgAdmin 4 v9.15 Released
  In-Reply-To: <CAG7mmozi+u=D1y_C=qTWRjAgNjV7YAWvscGo5SBnLXDa_2xJug@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox