Skip to main content

pgAdmin 4 CVE-2026-7813

| EUVDEUVD-2026-29081 CRITICAL
Improper Access Control (CWE-284)
2026-05-11 PostgreSQL GHSA-h2x2-q2mc-24gw
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 11, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 16:22 NVD
9.9 (CRITICAL) 9.4 (CRITICAL)
Source Code Evidence Fetched
May 11, 2026 - 15:46 vuln.today
Analysis Generated
May 11, 2026 - 15:46 vuln.today
CVE Published
May 11, 2026 - 14:35 nvd
CRITICAL 9.9

DescriptionCVE.org

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.

Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs.

Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner edits mutated the owner's record.

Fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge / API response / ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull requests; both are referenced.

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users' private database servers, credentials, and background processes by guessing object IDs. Attackers can execute arbitrary shell commands as the server owner by modifying the passexec_cmd field through unprotected API endpoints. The vulnerability combines horizontal privilege escalation (accessing peer users' objects), vertical escalation (executing commands as owner), and credential theft (SSL keys, passfiles). No public exploit code identified at time of analysis, but exploitation requires only low-privilege authentication with no user interaction (CVSS PR:L/UI:N). EPSS data not provided; CISA KEV status not confirmed.

Technical ContextAI

pgAdmin 4 is a web-based administration platform for PostgreSQL databases. In server mode (multi-user deployment), the application stores user-owned resources including server connection definitions, server groups, and debugger state in a shared SQLAlchemy ORM backend. The vulnerability stems from missing authorization filters on object retrieval queries across five modules: Server Groups, Servers, Shared Servers, Background Processes, and Debugger. Multiple endpoints fetched objects by primary key (ID) without scoping to the authenticated user's identity, allowing Insecure Direct Object Reference (IDOR) attacks. The Shared Servers feature stored owner-only fields (passexec_cmd, passfile, SSL certificates) in the same ORM model as non-owner editable fields, without field-level access control. The passexec_cmd field is particularly dangerous as it contains shell commands executed during PostgreSQL connection establishment in the owner's process context. SQLAlchemy session mutations allowed non-owners to corrupt owner data by editing fields that lacked per-user persistence (kerberos_conn, tags, post_connection_sql). The fix introduces a UserScopedMixin that adds user_id foreign keys and composite primary keys to all user-owned models, a centralized server_access authorization module, and field-level suppression of owner-only attributes in API responses and merge operations.

RemediationAI

Upgrade to pgAdmin 4 version 9.15 or later, which includes comprehensive authorization fixes via pull requests 9830 and 9835. The patch introduces database schema migrations that add user_id columns to debugger_function_arguments tables and create composite primary keys scoping all objects to requesting users. Advisory and patch available at https://github.com/pgadmin-org/pgadmin4/pull/9830 and https://github.com/pgadmin-org/pgadmin4/pull/9835. If immediate upgrade is not feasible, disable server mode and migrate users to desktop mode deployments where each user runs an isolated pgAdmin instance (eliminates multi-user attack surface but sacrifices centralized management). Alternatively, restrict pgAdmin access to highly trusted administrators only via network ACLs or authentication proxy, accepting that any authenticated user can compromise all others until patched. For Shared Servers feature specifically, disable the feature entirely via configuration if upgrade cannot be performed immediately (prevents passexec_cmd exploitation but does not address IDOR issues in other modules). Note that workarounds provide only partial risk reduction; upgrade to 9.15 is the only complete remediation.

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2024-2044 CRITICAL POC
9.9 Mar 07

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling

CVE-2024-3116 CRITICAL POC
9.8 Apr 04

pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. Rated cr

CVE-2022-4223 HIGH POC
8.8 Dec 13

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external Post

CVE-2024-9014 MEDIUM POC
6.5 Sep 23

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. Rated medium severity (CVS

CVE-2026-12046 CRITICAL
9.5 Jun 18

Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.1

CVE-2026-12045 CRITICAL
9.4 Jun 18

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content

CVE-2024-4216 MEDIUM POC
5.4 May 02

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. Rated medium severity (CVS

CVE-2026-12048 CRITICAL
9.3 Jun 18

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL

CVE-2025-2946 CRITICAL
9.1 Apr 03

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). Rated critical severity (CVSS 9.1

CVE-2026-12044 HIGH
8.7 Jun 18

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inj

CVE-2024-4215 HIGH
8.8 May 02

pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. Rated high severity (CVSS 8.8), this v

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-7813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy