Description
Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager.

check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage directory pointing outside it and induce pgAdmin to write to any path reachable by the pgAdmin process.

Fix switches the access check to os.path.realpath for both source and destination, and adds an _open_upload_target helper that opens the target with O_NOFOLLOW (mode 0o600) to close the leaf-component TOCTOU between the access check and the open. File mode is hardened from 0o644 to 0o600.

This issue affects pgAdmin 4: before 9.15.
Published: 2026-05-11
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when a user with permission to access the File Manager uploads a symbolic link that points outside the intended storage directory. The application checks the absolute path but does not resolve symbolic links, and later the kernel follows the symlink to perform a write. As a result an authenticated user can trick pgAdmin into writing to arbitrary files on the filesystem. This is a CWE‑61 (Path Traversal beyond intended directory) and CWE‑22 (Improper Restriction of Operations within the Bounds of a Multidimensional Array) weakness, and the potential impact includes data tampering, corruption of configuration files, or code execution when the attacker writes executable content.

Affected Systems

pgAdmin 4 by pgadmin.org, any release before 9.15, which is the first version to fix the issue.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity (high risk). No EPSS score is reported and the vulnerability is not listed in CISA KEV. However, the bug is exploitable by anyone who can authenticate to pgAdmin and has permission to use the File Manager, a common feature in the web interface. The potential for arbitrary file write grants enough control to alter or replace critical configuration files, so the overall risk is significant, though exploitability may depend on the environment and the files reachable by the pgAdmin process.

Generated by OpenCVE AI on May 11, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pgAdmin 4 9.15 or later to apply the realpath and O_NOFOLLOW fix.
  • If an immediate upgrade is not feasible, remove or restrict File Manager upload/write permissions for authenticated users by adjusting role settings or disabling the File Manager component in each user role.
  • Consider running pgAdmin in a container or sub‑environment with a limited mount to prevent the process from writing outside the intended directories.

Generated by OpenCVE AI on May 11, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pgadmin
Pgadmin pgadmin 4
Vendors & Products Pgadmin
Pgadmin pgadmin 4

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-61
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager. check_access_permission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage directory pointing outside it and induce pgAdmin to write to any path reachable by the pgAdmin process. Fix switches the access check to os.path.realpath for both source and destination, and adds an _open_upload_target helper that opens the target with O_NOFOLLOW (mode 0o600) to close the leaf-component TOCTOU between the access check and the open. File mode is hardened from 0o644 to 0o600. This issue affects pgAdmin 4: before 9.15.
Title pgAdmin 4: Symbolic-link path traversal in File Manager allows arbitrary file write
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pgadmin Pgadmin 4
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-11T16:06:03.147Z

Reserved: 2026-05-04T21:27:00.366Z

Link: CVE-2026-7819

cve-icon Vulnrichment

Updated: 2026-05-11T16:05:33.754Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:39.113

Modified: 2026-05-11T17:16:35.357

Link: CVE-2026-7819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses