CVE-2026-7818
7.0 HIGHDeserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager
Published: 2026-05-11 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 7.0 HIGH
- Vector
- CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| pgadmin | pgadmin_4 |
Description
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity. Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (rather than asserted) on empty SECRET_KEY so it is not stripped under -O. This issue affects pgAdmin 4: before 9.15.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-7820 — Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4 (6.5 MEDIUM)
- CVE-2026-7819 — Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
- CVE-2026-7817 — Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints (6.5 MEDIUM)
- CVE-2026-7816 — OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export (8.8 HIGH)
- CVE-2026-7815 — SQL injection vulnerability in pgAdmin 4 Maintenance Tool (8.8 HIGH)
Same CWE
- CVE-2026-41699 — Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries (8.1 HIGH)
- CVE-2026-20251 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
- CVE-2026-53435 — In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
- CVE-2026-52751 — Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)
- CVE-2026-10721 — Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components