Description
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.

Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs.

Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner edits mutated the owner's record.

Fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge / API response / ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull requests; both are referenced.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pgAdmin 4 in server mode has an authorization flaw that allows an authenticated user to fetch objects belonging to other users by guessing identifiers. The flaw exposes private servers, server groups, background processes, and debugger information, and permits modification of fields that should be owner‑only, leading to credential leakage and arbitrary command execution when the owner runs a shared server. The vulnerability is assigned a CVSS score of 9.4, classifying it as critical.

Affected Systems

The affected product is pgAdmin 4 from pgadmin.org, specifically all releases prior to version 9.15 running in server mode.

Risk and Exploitability

With a CVSS score of 9.4, the risk level is extremely high. The EPSS score is not available, but the flaw requires only an authenticated session to exploit. An attacker who can log in to pgAdmin via server mode can infer object IDs, read or alter sensitive configuration, and trigger shell commands in the owner’s context, potentially compromising the full server environment. The vulnerability is not listed in CISA’s KEV catalog, but its severity and broad reach make it a priority for remediation.

Generated by OpenCVE AI on May 11, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgAdmin 4 to version 9.15 or later to apply the server_access module changes that enforce proper ownership checks and prevent unauthorized writes.
  • If upgrading immediately is infeasible, restrict or disable the writable server‑side command fields (passexec_cmd, …) in the Shared Servers configuration and monitor for unauthorized modifications.
  • Apply network segmentation or firewall rules to limit access to the pgAdmin server port to trusted administrative hosts, reducing the attack surface available for credential leakage and command execution.

Generated by OpenCVE AI on May 11, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-269
CWE-284

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs. Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner edits mutated the owner's record. Fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge / API response / ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull requests; both are referenced. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: Cross-user data access and shared-server privilege escalation in server mode
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-11T17:32:49.824Z

Reserved: 2026-05-04T21:26:55.716Z

Link: CVE-2026-7813

cve-icon Vulnrichment

Updated: 2026-05-11T17:32:37.214Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:37.470

Modified: 2026-05-11T18:16:42.803

Link: CVE-2026-7813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses