Description
Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.

User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints.

Fix restricts api_key_file to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in pgAdmin 4 arises from unvalidated user‑supplied settings for LLM API configuration. The supplied api_key_file and api_url preferences are forwarded directly to LLM provider clients, allowing an authenticated user to read any file accessible to the pgAdmin process (local file inclusion) or to force pgAdmin to open internal network connections such as the cloud metadata service (server‑side request forgery). This flaw exposes confidential server files and the ability to reach internal services without external network access.

Affected Systems

pgAdmin 4 released by pgadmin.org, any installation using a version prior to 9.15, where the LLM API configuration endpoints accept unvalidated api_key_file and api_url preferences.

Risk and Exploitability

The CVSS base score is 7.1, indicating medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalogue, so no publicly documented active exploits exist. However, because the flaw requires authentication, an attacker who gains user access can read arbitrary files and send internal network requests, compromising confidentiality and potentially affecting the availability of internal services. The absence of known exploits reduces immediate threat but the flaw remains inherently exploitable in permissive environments.

Generated by OpenCVE AI on May 11, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pgAdmin 4 to version 9.15 or later to benefit from the vendor‑issued validation logic that restricts api_key_file to the user’s private storage or home directory, enforces a printable‑ASCII key format with a 1024‑byte read cap, and requires an allow‑list for api_url.
  • If an upgrade is not feasible, manually configure the application so that api_key_file is confined to a user‑specific directory and set config.ALLOWED_LLM_API_URLS to a curated list of trusted LLM endpoints; this blocks internal‑address requests such as 169.254.169.254.
  • If disabling LLM functionality is acceptable, remove or comment out the LLM API configuration routes to eliminate the vulnerable code paths.

Generated by OpenCVE AI on May 11, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CWE-918

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CWE-918

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints. Fix restricts api_key_file to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: Local file inclusion and server-side request forgery in LLM API configuration endpoints
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-11T16:07:55.788Z

Reserved: 2026-05-04T21:26:58.879Z

Link: CVE-2026-7817

cve-icon Vulnrichment

Updated: 2026-05-11T16:07:45.883Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:38.590

Modified: 2026-05-11T17:16:35.113

Link: CVE-2026-7817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses