PT-2026-39630 · Pgadmin 4+1 · Pgadmin 4+1
Fernando Bortotti
·
Published
2026-05-04
·
Updated
2026-05-11
·
CVE-2026-7820
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
pgAdmin 4 versions prior to 9.15
Description
Improper restriction of excessive authentication attempts occurs because the
MAX LOGIN ATTEMPTS limit is only enforced within the '/authenticate/login' view. The default '/login' view provided by Flask-Security does not check the User.locked field, as the User model relied on UserMixin.is locked() (which always returns 'not locked') and is active (which only checks the active column). This allows an attacker to bypass brute-force protection for accounts using the INTERNAL authentication source by submitting credentials directly to '/login'. Consequently, login attempts via '/login' are not rate-limited, enabling unbounded online password-guessing attacks. This issue does not affect LDAP, OAuth2, Kerberos, or Webserver users.Recommendations
Update to version 9.15 or later to ensure the locked column is enforced across all authentication paths.
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pgadmin
Pgadmin 4