Which versions of pgAdmin 4 are affected by CVE-2026-12046?

pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) contain a critical remote code execution vulnerability in SQL Editor endpoints that lack proper authentication enforcement.. A patch is available.

How to fix or mitigate CVE-2026-12046?

Within 24 hours: identify all pgAdmin 4 instances running versions 6.9-9.15 in server-mode configuration; implement immediate network access restrictions limiting pgAdmin connectivity to authorized administrative networks only. Within 7 days: deploy vendor-released patch to all affected instances per advisory; validate patch deployment and restart services. Within 30 days: review access logs for vulnerable endpoints (/sqleditor/close/ , /sqleditor/initialize/sqleditor/update_connection/) to detect prior unauthorized access; verify authentication enforcement is active across all patched instances.

pgAdmin 4 CVE-2026-12046

Q: What is the CVSS score of CVE-2026-12046?

CVE-2026-12046 has a CVSS 4.0 base score of 9.5 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-37966 CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-06-18 PostgreSQL

GHSA-mmqg-h4qx-g8qv

Python Authentication Bypass Deserialization RCE Pgadmin 4

9.5

CVSS 4.0 · Vendor: PostgreSQL

Severity by source

Vendor (PostgreSQL) PRIMARY

9.5 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N), but RCE requires attacker-supplied SECRET_KEY and sessions/ write access from another channel, so AC:H; full host impact gives C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (PostgreSQL).

CVSS VectorVendor: PostgreSQL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 19, 2026 - 00:30 vuln.today

Analysis Generated

Jun 19, 2026 - 00:30 vuln.today

CVSS changed

Jun 19, 2026 - 00:22 NVD

9.0 (CRITICAL) 9.5 (CRITICAL)

DescriptionCVE.org

Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> -- were the only routes in the module missing the @pga_login_required decorator. Both reach a pickle.loads sink on session['gridData'][<trans_id>]['command_obj']: the close endpoint via close_sqleditor_session(), and update_sqleditor_connection via check_transaction_status(). In server mode these endpoints were reachable without any authenticated pgAdmin session.

The defect is a missing-authentication-on-critical-function (CWE-306) wrapper around a deserialization-of-untrusted-data sink (CWE-502). Exploiting it for remote code execution requires the attacker to also forge a server-side session file whose gridData entry contains a malicious pickle payload, which in turn requires both (a) knowledge of pgAdmin's Flask SECRET_KEY (no chain to leak it is described here -- the attacker must already possess it) and (b) write access to pgAdmin's sessions/ directory on the host. Neither precondition is granted by this defect on its own. When those preconditions are met from another channel (misconfigured deployment, prior compromise, leaked configuration), the missing auth gate is the final hop that turns an existing partial compromise into unauthenticated code execution in the pgAdmin process -- and, by extension, on the host under whatever account runs pgAdmin.

Fix is a one-line @pga_login_required decorator on each of the two endpoints, matching the convention used by every other route in the module. The is_authenticated / MFA chain now runs before the trans_id is dereferenced, so an unauthenticated request is rejected before reaching the deserialization path.

The defect is server-mode only. In DESKTOP mode pgAdmin's before_request hook re-authenticates DESKTOP_USER on every request, so no endpoint can be exercised in an unauthenticated state and no auth decorator (or its absence) is meaningful. The accompanying regression test mirrors the attacker's path -- harvests an X-pgA-CSRFToken from GET /login and replays it against both endpoints -- and self-skips outside server mode for that reason; it is wired into the existing server-mode CI workflow alongside the data-isolation tests.

This issue affects pgAdmin 4: from 6.9 before 9.16.

Articles & Coverage 1

News 3 New Python Vulnerabilities - 2 Critical, 1 High Severity Jun 19, 2026

AnalysisAI

Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain SECRET_KEY and sessions/ write access out-of-band

Delivery

Harvest CSRF token from GET /login

Exploit

Plant forged session file with malicious pickle in gridData

Execution

Send unauthenticated DELETE /sqleditor/close/<trans_id>

Persist

pickle.loads executes payload in pgAdmin process

Impact

Code execution as pgAdmin service account

Access

Obtain SECRET_KEY and sessions/ write access out-of-band

Delivery

Harvest CSRF token from GET /login

Exploit

Plant forged session file with malicious pickle in gridData

Execution

Send unauthenticated DELETE /sqleditor/close/<trans_id>

Persist

pickle.loads executes payload in pgAdmin process

Impact

Code execution as pgAdmin service account

Vulnerability AssessmentAI

Exploitation	Target must be running pgAdmin 4 between 6.9 and 9.15 inclusive in SERVER mode (DESKTOP mode is immune because the before_request hook re-authenticates DESKTOP_USER on every request). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 score of 9.5 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) leans heavily on full-system impact and AT:P (attack requirements present), which correctly captures that exploitation depends on SECRET_KEY knowledge plus write access to sessions/ - neither granted by this defect alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has separately obtained the target's Flask SECRET_KEY (e.g., from a leaked config dump or backup) and has write access to the pgAdmin sessions/ directory (e.g., shared host, prior foothold, misconfigured volume mount) crafts a Flask session file whose gridData[trans_id]['command_obj'] is a malicious pickle payload, then sends an unauthenticated DELETE to /sqleditor/close/<trans_id> with only a CSRF token harvested from GET /login. The missing @pga_login_required decorator lets the request reach close_sqleditor_session(), pickle.loads fires on the planted payload, and arbitrary code runs as the pgAdmin process user. …
Remediation	Vendor-released patch: upgrade pgAdmin 4 to version 9.16 or later, which adds @pga_login_required to both DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> (commit f81433ae at https://github.com/pgadmin-org/pgadmin4/commit/f81433ae2f998f95bb17f27f53b4e99ebcc1df9c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all pgAdmin 4 instances running versions 6.9-9.15 in server-mode configuration; implement immediate network access restrictions limiting pgAdmin connectivity to authorized administrative networks only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2026-38716 CRITICAL Act Now