PT-2026-39630 · Pgadmin 4+1 · Pgadmin 4+1

Fernando Bortotti

·

Published

2026-05-04

·

Updated

2026-05-11

·

CVE-2026-7820

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15
Description Improper restriction of excessive authentication attempts occurs because the MAX LOGIN ATTEMPTS limit is only enforced within the '/authenticate/login' view. The default '/login' view provided by Flask-Security does not check the User.locked field, as the User model relied on UserMixin.is locked() (which always returns 'not locked') and is active (which only checks the active column). This allows an attacker to bypass brute-force protection for accounts using the INTERNAL authentication source by submitting credentials directly to '/login'. Consequently, login attempts via '/login' are not rate-limited, enabling unbounded online password-guessing attacks. This issue does not affect LDAP, OAuth2, Kerberos, or Webserver users.
Recommendations Update to version 9.15 or later to ensure the locked column is enforced across all authentication paths.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-09127
CVE-2026-7820
GHSA-HV9P-2PQF-R5W3

Affected Products

Pgadmin
Pgadmin 4