CRITICAL🇵🇱 Wersja polska

CVE-2026-7813

CVSS 9.4v4.0pub. 2026-05-11upd. 2026-05-26

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs. Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner edits mutated the owner's record. Fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge / API response / ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull requests; both are referenced. This issue affects pgAdmin 4: before 9.15.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Pgadmin 4

    APP
    Pgadmin
    < 9.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-12048CRITICAL9.3ten sam produkt

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a P...

CVE-2026-12046CRITICAL9.5ten sam produkt

Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POS...

CVE-2026-12045CRITICAL9.4ten sam produkt

Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database conte...

CVE-2025-13780CRITICAL9.1PL ✓ten sam produkt

RCE w pgAdmin 4 poprzez złośliwe pliki dump w trybie serwerowym

CVE-2025-12762CRITICAL9.1PL ✓ten sam produkt

RCE w pgAdmin 4 — wstrzykiwanie komend podczas przywracania bazy