public inbox for [email protected]  
help / color / mirror / Atom feed
From: pgAdmin Development Team via PostgreSQL Announce <[email protected]>
To: PostgreSQL Announce <[email protected]>
Subject: pgAdmin 4 v9.16 Released
Date: Fri, 19 Jun 2026 00:46:15 +0000
Message-ID: <[email protected]> (raw)

The pgAdmin Development Team is pleased to announce the release of pgAdmin 4 version 9.16. This release of pgAdmin 4 includes 64 bug fixes and new features, including fixes for seven security vulnerabilities (CVE-2026-12044 through CVE-2026-12050). For more details, please see the [release notes](https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html).

pgAdmin is the leading open-source graphical management tool for PostgreSQL. For more information, please see [the website](https://www.pgadmin.org/).

Notable changes in this release include:

## Features

* Colorize panel and tab headers based on the connected server's colour, making it easier to identify which server a tab belongs to at a glance.
* Add a "Back to login" link to the Forgot Password and Reset Password pages.
* Add support for the TOAST tuple target storage parameter in the Materialized View dialog.
* Make the init container security context in the Helm chart configurable via `containerSecurityContext`.
* Add support for closing a tab with a middle-click on its title.
* Allow the OAuth2 login button icon to use any Font Awesome style, not only brand icons.

## Security Fixes

* Fix SQL injection across sixteen dialog templates that rendered `COMMENT ON ... IS '<description>'`; switches affected templates to `qtLiteral` and rewrites stats calls to pass the relation OID via a `::oid::regclass` cast (CVE-2026-12044).
* Fix an AI Assistant read-only transaction bypass that allowed prompt-injected multi-statement payloads to commit out of the `READ ONLY` wrapper, chaining to RCE via `COPY ... TO PROGRAM` on a superuser connection (CVE-2026-12045).
* Fix two SQL Editor endpoints missing the `@pga_login_required` decorator, making them reachable without authentication in server mode and exposing a pickle deserialization sink (CVE-2026-12046).
* Fix HTML injection in the cloud deployment module (RDS, Azure, Google) where SDK exception text was forwarded to the browser unsanitised and rendered through `html-react-parser` (CVE-2026-12047).
* Fix critical stored cross-site scripting where PostgreSQL server error text and Explain plan-node content passed through `html-react-parser` across notifier toasts, form errors, modal alerts, and the Explain visualiser; injected script could exfiltrate saved server credentials and issue SQL against every connected server (CVE-2026-12048).
* Fix an open redirect in the multi-factor authentication flow via an unvalidated `next` parameter (CVE-2026-12049).
* Fix SQL injection in the named restore point endpoint where the user-supplied restore point name was interpolated into SQL via `str.format()` instead of a bound parameter (CVE-2026-12050).

## Bugs/Housekeeping

* Remove the administrator-role bypass from server-access helpers so the access-control checks added in 9.15 (CVE-2026-7813) are enforced uniformly.
* Remove EDB BigAnimal cloud deployment support, which was deprecated in 9.15.
* Preserve `jsonb` number representation in the JSON editor so trailing fractional zeros and large integers are no longer rewritten when saving unmodified rows.
* Fix a View/Edit Data crash when the session contains a transaction object that is not filter-capable, which could prevent the desktop application from loading after an upgrade.
* Rebase version-specific SQL templates so the default targets PostgreSQL 14, the oldest supported server version, dropping obsolete sub-14 template buckets.
* Strip the foreign-architecture slice from the macOS bundle so single-arch builds no longer ship unused code.
* Bump Electron to 42.3.3, `cryptography` to 49.0, and other Python and JavaScript dependencies.
* Update the Italian translation.

## Deprecations

* **pgAgent** has been deprecated and will be discontinued. pgAgent will be removed from the website within one month, and support within pgAdmin will be removed approximately six months from now. Users are encouraged to migrate to an alternative job scheduling solution.

Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from the [download area](https://www.pgadmin.org/download/).

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgAdmin 4 v9.16 Released
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox