PT-2026-39623 · Pgadmin 4+1 · Pgadmin 4+1
Asheshv
·
Published
2026-05-11
·
Updated
2026-06-29
·
CVE-2026-7813
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
pgAdmin 4 versions prior to 9.15
Description
An authorization issue in server mode affects the Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fail to filter user-owned objects by the identity of the requesting user, allowing an authenticated user to access private servers, server groups, background processes, and debugger function arguments by guessing object IDs. In the Shared Servers feature, this leads to credential leakage of SSL keys,
passfile, and passexec cmd. Furthermore, non-owners can write to owner-only fields such as passexec cmd, passexec expiration, db res, and db res type via the API. Specifically, a writable passexec cmd (a shell command executed during connection establishment) can lead to privilege escalation and arbitrary command execution within the owner's process context. Additionally, fields like kerberos conn, tags, and post connection sql lack per-user persistence, meaning edits by non-owners mutate the owner's record, potentially causing data corruption via SQLAlchemy session mutations.Recommendations
Update to version 9.15.
Exploit
Fix
LPE
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pgadmin
Pgadmin 4