Description
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.

The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity.

Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (rather than asserted) on empty SECRET_KEY so it is not stripped under -O.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pgAdmin 4 deserializes session files created by its own FileBackedSessionManager without verifying integrity first. An attacker who can place a file into the sessions directory—either by direct write permission granted to an authenticated user, by misconfiguration, or in combination with a separate path‑traversal bug—can supply a crafted Python pickle payload. When the application reads the file, it is deserialized unconditionally, allowing the attacker to execute arbitrary code in the operating‑system level session context, effectively hijacking the pgAdmin process. This vulnerability is a classic unsafe deserialization flaw, classified as CWE‑502.

Affected Systems

Products impacted are pgAdmin 4 versions prior to 9.15 released by pgadmin.org. No further version details are provided, but the fix is available in all releases after 9.15.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.3, indicating a high severity. The EPSS score is not available, so the current exploit probability cannot be quantified. The issue is not listed in the CISA KEV catalog, suggesting that known exploitation in the wild is not reported. The likely attack vector is through privileged write access to the sessions directory; an attacker who authenticates with such privileges can drop a malicious pickle file, leading to remote code execution. Proper HMAC verification, as implemented in the patch, would prevent this exploitation.

Generated by OpenCVE AI on May 11, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest pgAdmin 4 update (v9.15 or newer) which adds HMAC validation before deserialization
  • Configure a strong, non‑empty SECRET_KEY in the pgAdmin configuration and ensure that the HMAC length matches the fixed 64‑byte requirement
  • Restrict file creation rights for the sessions directory to only the pgAdmin service account, preventing authenticated users from writing arbitrary files
  • If immediate update is not possible, disable the FileBackedSessionManager feature or block external write access to its sessions directory until the patch is applied

Generated by OpenCVE AI on May 11, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity. Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (rather than asserted) on empty SECRET_KEY so it is not stripped under -O. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: Unsafe deserialization (CWE-502) in file-backed session manager leads to remote code execution
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-11T16:07:11.650Z

Reserved: 2026-05-04T21:26:59.607Z

Link: CVE-2026-7818

cve-icon Vulnrichment

Updated: 2026-05-11T16:07:01.350Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:38.847

Modified: 2026-05-11T17:16:35.237

Link: CVE-2026-7818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses