QSearchQSearch

CVE-2026-7813

9.9 CRITICAL

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger...

Published: 2026-05-11 · Last updated: 2026-05-26

Severity and scoring

CVSS
9.9 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-284

Affected products

VendorProduct
pgadminpgadmin_4

Description

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs. Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner edits mutated the owner's record. Fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge / API response / ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull requests; both are referenced. This issue affects pgAdmin 4: before 9.15.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-7820 Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4 (6.5 MEDIUM)
  • CVE-2026-7819 Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
  • CVE-2026-7818 Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager (7.0 HIGH)
  • CVE-2026-7817 Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints (6.5 MEDIUM)
  • CVE-2026-7816 OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export (8.8 HIGH)

Same CWE

  • CVE-2026-48610 Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability fou... (8.1 HIGH)
  • CVE-2026-47366 Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenti... (7.2 HIGH)
  • CVE-2026-44249 Netty is a network application framework for development of protocol servers and clients (8.1 HIGH)
  • CVE-2026-45178 Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints
  • CVE-2026-45177 Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components