| From: | pgAdmin Development Team via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org> |
|---|---|
| To: | PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org> |
| Subject: | pgAdmin 4 v9.15 Released |
| Date: | 2026-05-11 16:45:42 |
| Message-ID: | 177851794230.851.10919277514111552494@wrigleys.postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-announce |
The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.15.
This release of pgAdmin 4 includes 19 bug fixes and new features. For more details please see the release notes at:
<https://www.pgadmin.org/docs/pgadmin4/9.15/release_notes_9_15.html>
pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see:
**Notable changes in this release include:**
## Features
- Allow the Docker container image to run as a non-default user via the `PUID` and `PGID` environment variables.
## Bugs/Housekeeping
- Fix cross-user data access and shared-server privilege escalation in server mode (**CVE-2026-7813**).
- Tighten Shared Server feature parity, owner-only field handling, and write guards as a follow-up to the data-isolation hardening.
- Fix stored cross-site scripting (XSS) via crafted PostgreSQL object names rendered in the Browser Tree and Explain Visualizer (**CVE-2026-7814**).
- Fix SQL injection in the Maintenance tool option values (**CVE-2026-7815**).
- Fix OS command injection in Import/Export query export (**CVE-2026-7816**).
- Fix local-file inclusion and server-side request forgery in the LLM API configuration endpoints (**CVE-2026-7817**).
- Fix unsafe deserialization in the session manager that could lead to remote code execution (**CVE-2026-7818**). This change also encrypts session files at rest using Fernet, restricts session-file and `DATA_DIR` permissions to `0o600`, switches the session-digest default from SHA-1 to SHA-256, and drops several non-roundtrippable live objects from the session.
- Fix symlink-based path traversal in the file manager (**CVE-2026-7819**).
- Fix account-lockout bypass on Flask-Security's default `/login` view so the `locked` field is honored on every authentication path (**CVE-2026-7820**).
- Use absolute paths for `a2enmod` and `a2enconf` in the Debian setup script so it works when `/usr/sbin` is not on `PATH`.
- Bump Python and JavaScript runtime/development dependencies, and upgrade ESLint to v10.
- Update the Czech, Italian, Russian, Spanish, and Swedish translations.
## Deprecations
- The **BigAnimal** cloud deployment integration is deprecated and will be removed in the next version of pgAdmin 4.
---
Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from:
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dandy Made Productions via PostgreSQL Announce | 2026-05-11 17:27:07 | Ajqvue Version 3.6 Released |
| Previous Message | PgBouncer via PostgreSQL Announce | 2026-05-11 14:24:20 | PgBouncer 1.25.2 released |