Asheshv

**Name of the Vulnerable Software and Affected Versions** pgAdmin 4 versions prior to 9.15 **Description** An authorization issue in server mode affects the Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fail to filter user-owned objects by the identity of the requesting user, allowing an authenticated user to access private servers, server groups, background processes, and debugger function arguments by guessing object IDs. In the Shared Servers feature, this leads to credential leakage of SSL keys, `passfile`, and `passexec cmd`. Furthermore, non-owners can write to owner-only fields such as `passexec cmd`, `passexec expiration`, `db res`, and `db res type` via the API. Specifically, a writable `passexec cmd` (a shell command executed during connection establishment) can lead to privilege escalation and arbitrary command execution within the owner's process context. Additionally, fields like `kerberos conn`, `tags`, and `post connection sql` lack per-user persistence, meaning edits by non-owners mutate the owner's record, potentially causing data corruption via SQLAlchemy session mutations. **Recommendations** Update to version 9.15.