Skip to main content

pgAdmin 4 CVE-2026-7820

| EUVD-2026-29088 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-11 PostgreSQL GHSA-hv9p-2pqf-r5w3
Authentication Bypass Python
6.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 11, 2026 - 17:17 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
May 11, 2026 - 15:47 vuln.today
CVE Published
May 11, 2026 - 14:35 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on pgadmin4 (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 9.15.

DescriptionNVD

Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.

pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User model relied on Flask-Security's UserMixin.is_locked() (which always returns 'not locked') and Flask-Login's is_active (which only checks the active column, not locked). An attacker who triggered an account lockout via /authenticate/login could therefore obtain a session by re-submitting valid credentials directly to /login, defeating the brute-force-protection control for accounts using the INTERNAL authentication source. The same bypass also means that login attempts via /login are never rate-limited, so an attacker can perform an unbounded online password-guessing attack against INTERNAL accounts regardless of MAX_LOGIN_ATTEMPTS.

Fix overrides User.is_active and User.is_locked() so the locked column is enforced on every authentication path. LDAP, OAuth2, Kerberos, and Webserver users are not reachable by this bypass because they have no local password and are rejected by Flask-Security's LoginForm.validate before the locked check; the lockout itself is also internal-only (the /authenticate/login view filters by auth_source=INTERNAL).

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Vendor StatusVendor

Share

CVE-2026-7820 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy