QSearchQSearch

CVE-2026-7820

6.5 MEDIUM

Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4

Published: 2026-05-11 · Last updated: 2026-05-26

Severity and scoring

CVSS
6.5 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
CWE-307

Affected products

VendorProduct
pgadminpgadmin_4

Description

Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User model relied on Flask-Security's UserMixin.is_locked() (which always returns 'not locked') and Flask-Login's is_active (which only checks the active column, not locked). An attacker who triggered an account lockout via /authenticate/login could therefore obtain a session by re-submitting valid credentials directly to /login, defeating the brute-force-protection control for accounts using the INTERNAL authentication source. The same bypass also means that login attempts via /login are never rate-limited, so an attacker can perform an unbounded online password-guessing attack against INTERNAL accounts regardless of MAX_LOGIN_ATTEMPTS. Fix overrides User.is_active and User.is_locked() so the locked column is enforced on every authentication path. LDAP, OAuth2, Kerberos, and Webserver users are not reachable by this bypass because they have no local password and are rejected by Flask-Security's LoginForm.validate before the locked check; the lockout itself is also internal-only (the /authenticate/login view filters by auth_source=INTERNAL). This issue affects pgAdmin 4: before 9.15.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-7819 Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)
  • CVE-2026-7818 Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager (7.0 HIGH)
  • CVE-2026-7817 Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints (6.5 MEDIUM)
  • CVE-2026-7816 OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export (8.8 HIGH)
  • CVE-2026-7815 SQL injection vulnerability in pgAdmin 4 Maintenance Tool (8.8 HIGH)

Same CWE

  • CVE-2026-3329 A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository v...
  • CVE-2026-43926 FOSSBilling is a free, open-source billing and client management system
  • CVE-2026-36612 Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 1... (6.4 MEDIUM)
  • CVE-2026-36607 Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change e... (8.8 HIGH)
  • CVE-2026-10216 A vulnerability was detected in unitedbyai droidclaw up to 0.5.3 (3.7 LOW)