Skip to main content

pgAdmin 4 EUVDEUVD-2026-29087

| CVE-2026-7819 HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-05-11 PostgreSQL GHSA-hr4r-fwpv-c95j
7.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 11, 2026 - 17:17 EUVD
Re-analysis Queued
May 11, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 16:22 NVD
8.1 (HIGH) 7.2 (HIGH)
Analysis Generated
May 11, 2026 - 15:46 vuln.today
CVE Published
May 11, 2026 - 14:35 nvd
HIGH 8.1

DescriptionCVE.org

Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager.

check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage directory pointing outside it and induce pgAdmin to write to any path reachable by the pgAdmin process.

Fix switches the access check to os.path.realpath for both source and destination, and adds an _open_upload_target helper that opens the target with O_NOFOLLOW (mode 0o600) to close the leaf-component TOCTOU between the access check and the open. File mode is hardened from 0o644 to 0o600.

This issue affects pgAdmin 4: before 9.15.

AnalysisAI

Symbolic link path traversal in pgAdmin 4 File Manager allows authenticated users to write arbitrary files on the server filesystem. Attackers with valid credentials can plant symlinks in their storage directory pointing outside it, bypassing access controls to overwrite critical system files or application configurations with pgAdmin process privileges. The vulnerability combines CWE-61 (symlink following) with a time-of-check-time-of-use race condition. Affects all pgAdmin 4 versions before 9.15. No active exploitation confirmed (not in CISA KEV), but exploit is straightforward for authenticated attackers given the detailed fix description published by PostgreSQL project.

Technical ContextAI

pgAdmin 4 is the web-based administration platform for PostgreSQL databases. The vulnerability exists in the File Manager component's access control mechanism. The flaw stems from using os.path.abspath() for permission checks, which normalizes paths by resolving parent directory references (..) but does not resolve symbolic links. Python's os.path.abspath canonicalizes relative paths but treats symlinks as opaque filenames. In contrast, the kernel's file write operations follow symbolic links by default. This creates a classic TOCTOU (time-of-check-time-of-use) race: the security check validates one path while the actual write operation targets a different resolved path. An attacker exploits this by creating a symlink within their authorized storage directory that points to sensitive files outside it (e.g., /etc/passwd, application config files, or other users' data). The check_access_permission function validates the symlink path itself as being within bounds, but the subsequent write follows the link to its target, bypassing the containment check. This is a classic example of CWE-61 (UNIX Symbolic Link Following) combined with CWE-22 (Path Traversal).

RemediationAI

Upgrade to pgAdmin 4 version 9.15 or later, which implements comprehensive fixes for the symlink traversal vulnerability. The patch replaces os.path.abspath with os.path.realpath in check_access_permission for both source and destination paths, ensuring symbolic links are fully resolved before access control checks. Additionally, a new _open_upload_target helper opens files with O_NOFOLLOW flag to prevent following symlinks at the leaf component, closing the TOCTOU window between check and open operations. File permissions are hardened from 0o644 (world-readable) to 0o600 (owner-only). Refer to https://github.com/pgadmin-org/pgadmin4/issues/9902 for complete technical details. If immediate upgrade is not possible, compensating controls include restricting pgAdmin access to trusted administrators only, running pgAdmin with minimal filesystem privileges through OS-level mandatory access controls (SELinux, AppArmor), and monitoring pgAdmin storage directories for unexpected symlinks. Note that filesystem permission restrictions significantly reduce pgAdmin's ability to manage PostgreSQL files. Disabling the File Manager feature entirely eliminates attack surface but removes legitimate administrative functionality for file-based operations.

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2024-2044 CRITICAL POC
9.9 Mar 07

pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling

CVE-2024-3116 CRITICAL POC
9.8 Apr 04

pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. Rated cr

CVE-2022-4223 HIGH POC
8.8 Dec 13

The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external Post

CVE-2024-9014 MEDIUM POC
6.5 Sep 23

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. Rated medium severity (CVS

CVE-2026-12046 CRITICAL
9.5 Jun 18

Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.1

CVE-2026-12045 CRITICAL
9.4 Jun 18

Remote SQL injection via prompt injection in pgAdmin 4 versions 9.13 through 9.15 allows attackers who can write content

CVE-2026-7813 CRITICAL
9.4 May 11

Authorization bypass and privilege escalation in pgAdmin 4 server mode allows authenticated users to access other users'

CVE-2024-4216 MEDIUM POC
5.4 May 02

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. Rated medium severity (CVS

CVE-2026-12048 CRITICAL
9.3 Jun 18

Stored cross-site scripting in pgAdmin 4 versions 6.0 through 9.15 allows a malicious or attacker-influenced PostgreSQL

CVE-2025-2946 CRITICAL
9.1 Apr 03

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). Rated critical severity (CVSS 9.1

CVE-2026-12044 HIGH
8.7 Jun 18

SQL injection in pgAdmin 4 versions 1.0 through 9.15 allows an authenticated user with object-modification rights to inj

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

EUVD-2026-29087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy