EUVD-2026-37969
GHSA-7r93-vp6c-cw5m
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker needs no privileges (PR:N); victim must click crafted link (UI:R); impact is limited to unauthorized redirect integrity violation with no confidentiality or availability consequence.
Primary rating from Vendor (PostgreSQL).
CVSS VectorVendor: PostgreSQL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.
The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.
Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.
This issue affects pgAdmin 4: from 6.0 before 9.16.
AnalysisAI
Open redirect in pgAdmin 4's MFA validate and register endpoints allows network-accessible attackers to abuse the authentication flow as a phishing launchpad. Affected versions 6.0 through 9.15 pass the user-supplied 'next' query and form parameter directly to Flask's redirect response without verifying the target is same-origin, meaning a crafted URL such as /mfa/validate?next=https://attacker.example/fake-login silently forwards the victim from a trusted pgAdmin URL to an attacker-controlled site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to be a pgAdmin 4 user who is either mid-MFA-flow (between password submission and MFA completion) or otherwise directed to access the /mfa/validate or MFA registration endpoint with a crafted 'next' parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N) correctly reflects a medium-severity, phishing-facilitation flaw with no direct data exfiltration or system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a pgAdmin administrator and sends a phishing email containing a link to the target's own pgAdmin instance - e.g., https://pgadmin.corp.internal/mfa/validate?next=https://attacker.example/pgadmin-login - framed as a security notification requiring MFA re-validation. When the administrator clicks the link while authenticated, pgAdmin's MFA validate endpoint processes the 'next' parameter and issues a 302 redirect to the attacker's site, which presents a credential-harvesting page styled like pgAdmin or the organization's SSO portal. … |
| Remediation | Upgrade pgAdmin 4 to version 9.16 or later, which introduces the _is_safe_redirect_url same-origin validation helper gating all 'next' parameter consumption in the MFA flow. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Full takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 is achievable by remote unauthenticated attackers via
Cross-scope data compromise in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 allows a low-privileged remote attacker
Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated
Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticat
Account takeover in Oracle iSupplier Portal (E-Business Suite versions 12.2.3-12.2.15) allows a low-privileged remote at
Share
External POC / Exploit Code
Leaving vuln.today