CVE-2026-7817
6.5 MEDIUMLocal file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints
Published: 2026-05-11 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-552
Affected products
| Vendor | Product |
|---|---|
| pgadmin | pgadmin_4 |
Description
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints. Fix restricts api_key_file to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point. This issue affects pgAdmin 4: before 9.15.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-7820 — Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4 (6.5 MEDIUM)
- CVE-2026-7819 — Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
- CVE-2026-7818 — Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager (7.0 HIGH)
- CVE-2026-7816 — OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export (8.8 HIGH)
- CVE-2026-7815 — SQL injection vulnerability in pgAdmin 4 Maintenance Tool (8.8 HIGH)
Same CWE
- CVE-2025-14771 — Files or directories accessible to external parties vulnerability in ABB T-MAC Plus (9.9 CRITICAL)
- CVE-2026-45543 — Nextcloud is an open source content collaboration platform (5.3 MEDIUM)
- CVE-2026-40425 — The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to auth... (5.7 MEDIUM)
- CVE-2026-45088 — Dalfox is a powerful open-source XSS scanner and utility focused on automation (7.5 HIGH)
- CVE-2024-56462 — IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be rest... (7.2 HIGH)