Postgres Enterprise Manager 10.5.0 release notes v10.5

Introduced a Server Downtime Report that tracks server availability by monitoring heartbeat gaps, providing uptime/downtime analysis with planned versus unplanned downtime classification using blackout periods.

Added probe data and history REST API endpoints (v17) that expose monitoring data from the pemdata and pemhistory tables for multiple objects in a single call, supporting both numeric probe ID and internal name addressing.

Introduced Cluster Topology Discovery and Visualization, which automatically discovers PostgreSQL replication clusters (physical streaming replication, Patroni, PGD, EFM) and renders interactive SVG topology diagrams in the PEM browser tree, with support for cascading replication, lag display, and role badges.

Added a new Profile Assignments page (Management > Monitoring > Profile Assignments) that displays all servers and agents in a tree view grouped by server group and cluster, allowing authorized users to view and change profile assignments inline or in bulk via multi-select.

Implemented team-based RBAC filtering for report templates, allowing administrators to designate reports as PEM-only (running on the PEM database) with row-level security policies that enforce team-based visibility.

Added repeating section support to report templates, enabling report sections to iterate over rows from a group query with per-row parameter substitution to produce structured multi-instance output within a single section.

Added profile import/export endpoints that enable users to export monitoring profiles as JSON files and import them into other PEM installations for easy configuration replication across environments.

Added the ability to clone an existing profile via the Add Profile dialog, allowing administrators to create new profiles based on existing configurations without manual reconfiguration.

Added application-layer authorization gates for PEM REST API write endpoints, requiring callers to hold the relevant PEM management role (for example, asset management or alert management) for write operations.

Introduced search-by-name capability for API v17, enabling users to search for monitored objects (agents, servers, databases) by name through the REST API.

Enhanced the System Configuration Report to include server_id and agent_id in the delayed alerts section, making it easier to identify which server or agent is affected by delayed alert processing.

Added support for selecting multiple servers and agents in the Alert History Report modal, enabling users to generate reports spanning multiple monitored targets in a single execution.

Added database name display to the report history table and executed report header, giving users clear context about which database a report was executed against.

Added the is_pem_report flag to the Core Usage Report, ensuring it runs on the PEM database and appears in the appropriate report category.

Re-introduced the "Show Acknowledged Alerts" setting on the alert dashboard, allowing users to toggle visibility of acknowledged alerts in the monitoring view.

Added a navigation link from Manage Profiles to Profile Assignments, improving workflow efficiency when administrators need to switch between profile configuration and assignment tasks.

Added webhook test connection support with OAuth2 authentication, enabling users to verify webhook endpoint connectivity when OAuth2 credentials are configured.

Added configuration options to specify the TLS version for different WebClient operations in the agent, allowing administrators to enforce specific TLS versions for enhanced security compliance.

Re-introduced the ENABLE_DATA_ACCESS_TOOLS and ENABLE_DEBUGGER configuration settings (default True) that were dropped in the PEM 10.0 release.

Batched session_info CPU sampling across all backends, reducing the overhead of per-session CPU usage collection on systems with many active connections.

Optimized the SQL of probe_target_view to use CTEs and removed unnecessary joins for probe target levels below database, improving query performance.

Optimized the purge job by combining age-based and obsolete-object purging into a single function, reducing the number of database scans required for data cleanup.

Fixed a SQL injection vulnerability (CVE-2026-7815) in the Maintenance Tool options, where unsafe values for vacuum_index_cleanup, vacuum_parallel, and buffer_usage_limit were rendered directly into SQL templates; server-side allow-list validation and qtIdent escaping for tablespace identifiers were added.

Fixed an OS command injection vulnerability (CVE-2026-7816) in the Import/Export query export, via unsanitized query content and format options passed to the psql template; allow-list validation and a balanced-parenthesis query parser were added.

Fixed a pickle deserialization remote code execution vulnerability (CVE-2026-7818) in the session manager, where a crafted session file could execute arbitrary code under the PEM process; session files are now HMAC-verified with hmac.compare_digest before deserialization.

Fixed a symlink path traversal vulnerability (CVE-2026-7819) in the File Manager that allowed an authenticated user to write files outside their storage directory; check_access_permission now uses os.path.realpath and file uploads use O_NOFOLLOW.

Fixed a SQL injection vulnerability (CVE-2026-12044) across dialog templates that rendered COMMENT ON ... IS '<description>' statements, by switching to the qtLiteral escape filter and hardening qtLiteral to raise rather than silently return raw values when conn is falsy; also closed the pgstattuple/pgstatindex sink whereby a low-privilege user naming a table or index with an apostrophe-laden identifier caused SQL injection under the superuser viewer's role. Reported by Jasser Chebbi.

Fixed an AI Assistant read-only transaction bypass vulnerability (CVE-2026-12045) that allowed prompt-injected multi-statement payloads to commit out of the READ ONLY wrapper and execute arbitrary SQL, chaining to remote code execution via COPY ... TO PROGRAM on a superuser connection. Reported by Isaac Chen.

Fixed two SQL Editor endpoints (close and update_connection) that were missing the @pga_login_required decorator (CVE-2026-12046), making them reachable without authentication in server mode and exposing a pickle deserialization sink. Reported by Fernando Bortotti.

Fixed a stored cross-site scripting vulnerability (CVE-2026-12048) via PostgreSQL server error text and Explain plan-node content passed through html-react-parser without sanitization across notifier toasts, form errors, modal alerts, and the Explain visualizer, whereby same-origin JavaScript could read saved server connection credentials and issue arbitrary SQL against every connected server. Reported by Fernando Bortotti.

Fixed a SQL injection vulnerability (CVE-2026-12050) in the named restore point endpoint, where the user-supplied restore point name was interpolated into SQL via str.format() instead of being passed as a bound parameter; the fix was applied to both the pgAdmin ServerNode and the PEM PemServerNode implementations. Reported by Geo.

Fixed a stored cross-site scripting vulnerability (CVE-2026-7814) via innerHTML in the browser tree node labels and the Explain visualizer; all innerHTML assignments were replaced with textContent.

Fixed an account lockout bypass vulnerability (CVE-2026-7820), where an attacker who hit the lockout threshold on /authenticate/login could continue brute-forcing via the Flask-Security /login endpoint; User.is_active and User.is_locked now gate both authentication paths.

Fixed an HTML injection vulnerability (CVE-2026-12047) in the cloud deployment module (RDS, Azure, Google), where SDK exception text was forwarded to the browser unsanitized and rendered through html-react-parser in the Cloud Wizard. Reported by Fernando Bortotti.

Fixed an open redirect vulnerability (CVE-2026-12049) in the multi-factor authentication flow, via an unvalidated 'next' parameter that allowed a crafted link to redirect an authenticated victim to an attacker-controlled host. Reported by Mai Phạm Hiền.

Updated dompurify to 3.4.8 to fix BDSA-2026-13267.

Upgraded HTTPD to version 2.4.67 for the PEM server installer, incorporating the latest security fixes and stability improvements.

Upgraded bundled PostgreSQL to version 17.10-1 for the PEM server installer on Windows, incorporating the latest security fixes and stability improvements.

Closed 18 Dependabot security alerts with minimal pgAdmin-origin code churn.

Reworked alert blackouts from job-based artifacts into first-class PEM objects with a normalized schema, REST API v17 endpoints, an audit trail, a manual enable/disable toggle, and a server-side process_blackouts() system job that replaces the legacy agent-side blackout management.

Migrated the Core Usage Report to the custom report template framework, enabling scheduled execution, API access, and consistent management alongside other custom reports.

Migrated the System Configuration Report to the custom report template framework, consolidating all system reports under the unified template-based architecture.

Refactored alert dispatch from per-cycle template scanning into a queue-driven model using pem.alert_queue with FOR UPDATE SKIP LOCKED concurrency, enabling concurrent alert workers without contention and deferring queued alerts via due_at rather than dropping them during blackouts.

Modified the pem.refresh_stale_probe_view function to refresh the probe_target_view materialized view concurrently, eliminating table locks during the refresh job and improving system responsiveness under load.

Upgraded SNMP++ to version 3.6.6, incorporating upstream bug fixes and improvements to the SNMP notification subsystem.

Hardened the agent connection, spooler, and async-query paths to eliminate hangs, poisoned-row loops, and silent failure modes, with poll()-driven async query execution that supports timeout and cancel, a shared SpoolerLoop driver, capped spool retries, and typed ErrorKind categories.

Increased the default PEM_DB_POOL_MAX_WAITING from 10 to 30, reducing connection pool exhaustion under concurrent load by allowing more requests to queue before being rejected.

Modernized the command-line argument parsing framework for pemWorker, improving maintainability and enabling cleaner addition of new CLI options.

Updated copyright notices to 2026 across the PEM source files.

Merged the pgAdmin 9.13 codebase into PEM, bringing the latest pgAdmin features, bug fixes, and improvements to the PEM user interface and core functionality.

Updated Django (webhook_mtls_app) to 4.2.26 LTS.

Updated urllib3 to 2.7.0.

Updated axios to 1.18.0.

Updated React to 19.2.6.

Updated qs to 6.15.2.

Updated lodash to 4.18.1.

Updated postcss to 8.5.15.

Updated Authlib to 1.6.12.

Updated follow-redirects to 1.16.0.

Updated form-data to 4.0.6.

Fixed an issue whereby the agent's Agent Server Binding (ASB) cache was not invalidated when a monitored server connection failed because of invalid credentials, causing the agent to continue using stale cached passwords after credential rotation; the agent now evicts the ASB cache and clears pooler credentials on connection failure, and refuses to fall back to cached plaintext when EDBPEMDecrypt fails.

Fixed an issue whereby create_system_report failed silently on a duplicate title instead of raising an exception, enabling idempotent re-runs of upgrade scripts on already-upgraded installations.

Fixed a syntax error that occurred when editing parameter values for alerts from the Manage Alerts panel.

Fixed a typo in the purge_snmp_spool function that prevented the snmp_spool table from being purged properly, causing accumulated unsent SNMP notifications.

Fixed an issue whereby global-agent server-specific alerts (agent_id = 0 or -1) were silently filtered out of the alert queue because the eligibility predicate incorrectly required an agent_server_binding match on agent_id, which caused roughly 66% of auto-created server-level alerts never to fire.

Fixed a copy alerts crash caused by scope-filter tightening that excluded fixtures with non-canonical package_name/agent_id values, and fixed a 10.3.1 to 10.4.1 upgrade failure whereby double-encoded connection_params JSONB strings caused jsonb_each to abort the migration.

Fixed an issue whereby it was not possible to filter by server in the Barman dashboard's candle chart, restoring server-level filtering.

Fixed a duplicate entry for the pem.create_delete_probe_purge_jobstep() function in pemserver.sql and corrected the alert template name "EFM Fewer Than N Nodes Active" in the 10.3.0 upgrade script.

Aligned pem_assign_profile with its documented contract, fixing inconsistencies between its actual behavior and the expected profile assignment semantics.

Fixed an issue whereby the Performance Diagnostic tool did not recover gracefully from disconnected server states, and corrected the responsive header layout.

Fixed an issue whereby dashboard charts did not refresh when navigating between contexts via the breadcrumb navigation.

Fixed an issue whereby workspace ad-hoc database connections did not use the PEM Server model correctly, which caused connection failures from the query tool.

Fixed an issue whereby the chart color settings API failed because the transaction ID was read from the prop instead of from dashboard state.

Granted the pg_read_server_files and pg_write_server_files roles to pem_agent, resolving permission errors when the agent needs to access server-side files for monitoring operations.

Fixed an issue whereby the insert_jobinfolog function was not schema-qualified, causing job logging failures in certain execution contexts.

Fixed an issue whereby PEM agent.log output was missing newline characters, causing log entries to run together and making log analysis difficult.

Eliminated spurious warning messages displayed when registering a new agent, reducing noise in the registration workflow.

Added an in-process retry queue for probe and job unlock operations that fail because of transient PEM connection loss, preventing probes from remaining stuck in flight until the next worker restart.

Fixed an issue whereby the purge_deleted_objects_data job was not created for objects deleted from the UI, and modified the purge function to disable triggers before deleting data from the pemdata schema to prevent copying to pemhistory during purge.

Fixed the API documentation and validation for the /agent/job endpoint, ensuring correct request and response schemas.

Fixed an issue whereby edb-uwsgi generated a core dump during service restart, by correcting the process lifecycle handling.

Fixed PEM upgrade so that it now errors out when an upgrade script fails, preventing silent partial upgrades that leave the system in an inconsistent state.

Fixed the Nginx configuration so that the real hostname and HTTPS scheme are passed through to the uWSGI/Flask application, resolving issues with URL generation and redirect handling behind the reverse proxy.

Fixed the PEM database connection pool so that it heals after a backend restart, preventing NoneType crashes in the web UI by adding pool-level health checks and proper handling of stale connections.

Fixed Performance Diagnostic charts so that empty timeline buckets are backfilled, ensuring continuous chart rendering even when some time periods have no data.

Hardened the probe REST API (blocking SQL edits on system probes, rejecting duplicate probe_name on POST, and surfacing unknown IDs on export) and fixed the Create Profile dialog to show an inline validation error on duplicate profile names instead of the raw PostgreSQL unique-constraint error.

Fixed an issue whereby toggling "Show acknowledged alerts" back to enabled would not restore alerts in the Alert Details chart after all alerts had been acknowledged, because the error state was not cleared when data returned successfully.

Fixed WCAG 2.0 AA contrast issues across the dark, light, and high-contrast themes, improving accessibility for users with visual impairments.

Fixed an issue whereby editing a custom batch probe's platform (for example, changing from *nix to Windows) did not update the platform column in the database, causing the probe not to appear in probe_target_view for the intended agent.

Fixed an issue whereby a user with the pem_manage_alert role (via pem_config_alert) could not create alerts via the REST API because of missing SELECT, INSERT, UPDATE, and DELETE permissions on the pem.webhook_alert_config table.

Fixed an issue whereby the --disable-probe and --enable-probe CLI commands failed on database-level probes with a "permission denied for table probe_config_database" error.