Description
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.

The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.

Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.

This issue affects pgAdmin 4: from 6.0 before 9.16.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pgAdmin 4 contains an open redirect vulnerability in its multi‑factor authentication flow because the 'next' parameter is accepted without validation. An attacker can supply an external URL in /mfa/validate?next=... and an authenticated victim will be redirected to the attacker’s host after succeeding the MFA step. This does not grant direct access to pgAdmin or the victim's database, but it can bypass the typical phishing trust barrier and increase the success rate of subsequent credential‑phishing attacks. The weakness is classified as CWE‑601.

Affected Systems

Versions of pgAdmin 4 from 6.0 up to and including 9.15 are affected. The vulnerability exists in the MFA validate and register endpoints and is present in all pgAdmin 4 releases prior to 9.16.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, mainly due to the impact on user trust rather than direct privilege escalation. The EPSS score is not available, so the current exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a phishing link delivered to an authenticated user; the attacker must have an active account and the user must deliberately click the redirect. Without the need for elevated privileges, the exploitation risk is limited to credential compromise, thereby making mitigation through an upgrade the preferred course of action.

Generated by OpenCVE AI on June 19, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgAdmin 4 to version 9.16 or newer, which includes a safe‑redirect helper.
  • Verify that all MFA redirects now only allow same‑host destinations and that relative paths are properly resolved.
  • Test the login and MFA flow after upgrading to ensure that external 'next' URLs are rejected and the user is redirected internally.

Generated by OpenCVE AI on June 19, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow. The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim. Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC. This issue affects pgAdmin 4: from 6.0 before 9.16.
Title pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-06-18T23:37:43.328Z

Reserved: 2026-06-11T20:40:09.111Z

Link: CVE-2026-12049

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:30:16Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')