Skip to main content

Pgadmin 4 CVE-2025-9636

HIGH
Origin Validation Error (CWE-346)
2025-09-04 f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
Privilege Escalation Pgadmin 4 Suse
7.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.9 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 19:10 vuln.today
CVE Published
Sep 04, 2025 - 17:15 nvd
HIGH 7.9

DescriptionCVE.org

pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.

AnalysisAI

pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-346. pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation. Affected products include: Pgadmin Pgadmin 4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-12046 CRITICAL
9.5 Jun 18

Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.1
CVE-2026-12045 CRITICAL
9.4 Jun 18

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content
CVE-2026-12048 CRITICAL
9.3 Jun 18

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL

CVE-2026-12044 HIGH
8.7 Jun 18

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inj
CVE-2026-12049 MEDIUM
5.3 Jun 18

Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authen

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Python 3 15 SP6 SUSE Linux Enterprise Server 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Python 3 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed

Share

CVE-2025-9636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy