CVE-2026-7817

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15

Description Local file inclusion (LFI) and server-side request forgery (SSRF) issues exist in the LLM API configuration endpoints. Authenticated users can read arbitrary server-side files by providing a path to the api key file preference, or force the application to make requests to internal targets, such as cloud metadata services, by manipulating the api url preference. These issues are exploitable via the chat path and model-list endpoints.

Recommendations Update to version 9.15 or later. Restrict the api url using the config.ALLOWED LLM API URLS allow-list at every entry point.