[subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in pgAdmin 4, a popular open-source administration platform for PostgreSQL. The affected versions are all prior to 9.15. These vulnerabilities include unauthenticated authorization bypasses, full operating-system command execution, and privilege escalation. Business risk and impact are significant, as these issues could allow attackers to access private servers, background processes, and debugger arguments, ultimately leading to full system takeover. This could result in data breaches, system compromise, and potential business disruption.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in pgAdmin 4, a popular open-source administration platform for PostgreSQL. The affected versions are all prior to 9.15. These vulnerabilities include unauthenticated authorization bypasses, full operating-system command execution, and privilege escalation. Business risk and impact are significant, as these issues could allow attackers to access private servers, background processes, and debugger arguments, ultimately leading to full system takeover. This could result in data breaches, system compromise, and potential business disruption.[emaillocker id="1283"]
- CVE-2026-7813 with a CVSS score of 9.4 – This vulnerability allows authenticated users to access private servers, background processes, and debugger arguments by guessing object IDs. Attackers can exploit this by manipulating object IDs to access sensitive information.
- CVE-2026-7815 with a CVSS score of 9.4 – This vulnerability allows users to execute arbitrary SQL and, eventually, OS commands via the COPY … TO PROGRAM primitive. Attackers can inject malicious input into psql \copy templates to break out of the database context and execute commands directly on the pgAdmin server.
- CVE-2026-7816 with a CVSS score of 9.4 – This vulnerability allows attackers to inject malicious input into a psql \copy template. By doing so, they can break out of the database context and execute commands directly on the pgAdmin server.
- CVE-2026-7820 with a CVSS score of 7.5 – This vulnerability allows attackers to perform unbounded online password guessing against internal accounts. The pgAdmin main login page enforces a maximum attempt limit, but a default Flask-Security /login endpoint remains reachable and completely ignores account lockouts.
- CVE-2026-7818 with a CVSS score of 8.8 – This vulnerability allows attackers to achieve remote code execution (RCE) by dropping a crafted file into the sessions directory. The session manager performs unsafe deserialization of session files before checking their integrity.
- CVE-2026-7817 with a CVSS score of 7.5 – This vulnerability allows attackers to read arbitrary server-side files or force pgAdmin to make requests to internal targets like cloud metadata services (SSRF). The LLM API configuration is not validated, allowing users to access sensitive information.
- CVE-2026-7819 with a CVSS score of 7.5 – This vulnerability allows authenticated users to plant symlinks to “trick” pgAdmin into writing files outside of their designated storage directory.
Attackers can exploit this by manipulating file paths to access sensitive information. The risk and urgency of these vulnerabilities are high, as they could allow attackers to gain full system access and compromise sensitive data. If exploited, business consequences could include data breaches, system compromise, and potential business disruption.
RECOMMENDATION:
- We recommend you to update pgAdmin 4 to version 9.15.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/pgadmin-4-critical-vulnerabilities-rce-authorization-bypass-v9-15/
[/emaillocker]