The pgAdmin Development Team is pleased to announce pgAdmin 4 version 9.16.
This release of pgAdmin 4 includes 64 bug fixes and new features. For more details please see the release notes at: https://www.pgadmin.org/docs/pgadmin4/9.16/release_notes_9_16.html pgAdmin is the leading Open Source graphical management tool for PostgreSQL. For more information, please see: https://www.pgadmin.org/ Notable changes in this release include: *Features:* * Add an option to colourize panel and tab headers based on the connected server's colour, making it easier to tell which server a tab is connected to at a glance. * Add a "Back to login" link to the Forgot Password and Reset Password pages. * Add support for the TOAST tuple target storage parameter in the Materialized View dialog. * Make the init container security context in the Helm chart configurable via containerSecurityContext, consistent with the main container. * Add support for closing a tab with a middle-click on its title. * Allow the OAuth2 login button icon to use any Font Awesome style (e.g. fas fa-key), not only brand icons. *Bugs/Housekeeping:* * Fix SQL injection across sixteen dialog templates that rendered COMMENT ON ... IS '<description>' and the related pgstattuple/pgstatindex stats sinks; switches the affected templates to qtLiteral and rewrites the stats calls to pass the relation OID via a ::oid::regclass cast (CVE-2026-12044). * Fix the AI Assistant read-only transaction bypass that allowed prompt-injected multi-statement payloads to commit out of the READ ONLY wrapper and execute arbitrary SQL, chaining to RCE via COPY ... TO PROGRAM on a superuser connection (CVE-2026-12045). * Fix two SQL Editor endpoints (close and update_connection) missing the @pga_login_required decorator, making them reachable without authentication in server mode and exposing a pickle deserialization sink (CVE-2026-12046). * Fix HTML injection in the cloud deployment module (RDS, Azure, Google) where SDK exception text was forwarded to the browser unsanitised and rendered through html-react-parser in the Cloud Wizard (CVE-2026-12047). * Fix critical stored cross-site scripting where PostgreSQL server error text and Explain plan-node content passed through html-react-parser across notifier toasts, form errors, modal alerts, and the Explain visualiser; under pgAdmin's default Content-Security-Policy, injected script ran same-origin to the victim's session and could exfiltrate saved server credentials and issue SQL against every connected server (CVE-2026-12048). * Fix the open redirect in the multi-factor authentication flow via an unvalidated next parameter (CVE-2026-12049). * Fix SQL injection in the named restore point endpoint where the user-supplied restore point name was interpolated into SQL via str.format() instead of being passed as a bound parameter (CVE-2026-12050). * Remove the administrator-role bypass from the server-access helpers so the access-control checks added in 9.15 (CVE-2026-7813) are enforced uniformly. The Administrator role manages pgAdmin itself, not other users' database connections. * Remove the EDB BigAnimal cloud deployment support, which was deprecated in 9.15. * Preserve jsonb number representation in the JSON editor so trailing fractional zeros and large integers are no longer rewritten when saving unmodified rows. * Fix a View/Edit Data crash when the session contains a transaction object that is not filter-capable (e.g. left by the Query Tool or persisted by an older version), which could prevent the desktop application from loading after an upgrade. * Rebase the version-specific SQL templates so the default targets PostgreSQL 14, the oldest supported server version, dropping the obsolete sub-14 template buckets. * Strip the foreign-architecture slice from the macOS bundle so single-arch builds no longer ship the universal2 Python framework's unused arm64/x86_64 code. * Bump Electron in the desktop runtime to 42.3.3 and pin the packaged Electron version, bump cryptography to 49.0 and other Python and JavaScript dependencies via the dependabot batch. * Update the Italian translation. Builds for Windows and macOS are available now, along with a Python Wheel, Docker Container, RPM, DEB Package, and source code tarball from: https://www.pgadmin.org/download/ *Deprecation Notice: pgAgent* pgAgent has been deprecated and will be discontinued. The pgAgent will be removed from the website within one month. Support for pgAgent within pgAdmin will be removed in a future release approximately six months from now. Users are encouraged to migrate to an alternative job scheduling solution before support is removed. --- Ashesh Vashi pgAdmin Project
