PT-2026-39623 · Pgadmin 4+1 · Pgadmin 4+1

Asheshv

·

Published

2026-05-11

·

Updated

2026-06-29

·

CVE-2026-7813

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15
Description An authorization issue in server mode affects the Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fail to filter user-owned objects by the identity of the requesting user, allowing an authenticated user to access private servers, server groups, background processes, and debugger function arguments by guessing object IDs. In the Shared Servers feature, this leads to credential leakage of SSL keys, passfile, and passexec cmd. Furthermore, non-owners can write to owner-only fields such as passexec cmd, passexec expiration, db res, and db res type via the API. Specifically, a writable passexec cmd (a shell command executed during connection establishment) can lead to privilege escalation and arbitrary command execution within the owner's process context. Additionally, fields like kerberos conn, tags, and post connection sql lack per-user persistence, meaning edits by non-owners mutate the owner's record, potentially causing data corruption via SQLAlchemy session mutations.
Recommendations Update to version 9.15.

Exploit

Fix

LPE

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7813
GHSA-H2X2-Q2MC-24GW
PYSEC-2026-452

Affected Products

Pgadmin
Pgadmin 4