PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12046 pgadmin.org CVE debrief

A critical vulnerability was discovered in pgAdmin 4's SQL Editor blueprint, specifically in the DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> endpoints. These endpoints were missing the @pga_login_required decorator, making them accessible without authentication in server mode. This vulnerability, a missing-authentication-on-critical-function (CWE-306) wrapper around a deserialization-of-untrusted-data sink (CWE-502), could allow for remote code execution if an attacker possesses the Flask SECRET_KEY and has write access to pgAdmin's sessions/ directory. The defect is server-mode only and does not affect DESKTOP mode. The fix involves adding the @pga_login_required decorator to both endpoints.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
CRITICAL 9.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-07-01
Advisory published
2026-06-19
Advisory updated
2026-07-01

Who should care

pgAdmin 4 users, particularly those running the application in server mode, should be aware of this critical vulnerability. The vulnerability affects pgAdmin 4 versions from 6.9 before 9.16. Users should apply the patch by updating to version 9.16 or later and review their Flask SECRET_KEY and access controls.

Technical summary

The vulnerability is caused by two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint that are missing the @pga_login_required decorator. This allows an attacker to access the endpoints without authentication in server mode, potentially leading to remote code execution. The endpoints reach a pickle.loads sink on session['gridData'][<trans_id>]['command_obj'], which can be exploited if an attacker has the Flask SECRET_KEY and write access to pgAdmin's sessions/ directory. The affected versions of pgAdmin 4 are from 6.9 before 9.16.

Defensive priority

High

Recommended defensive actions

  • Apply the patch by updating pgAdmin 4 to version 9.16 or later
  • Review and update the Flask SECRET_KEY to prevent unauthorized access
  • Restrict write access to pgAdmin's sessions/ directory
  • Monitor for suspicious activity in server mode
  • Perform a thorough review of the system for potential compromises
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-19T00:16:46.873Z and last modified on 2026-07-01T19:27:45.763Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification and defensive checks are recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:46.873Z and has not been modified since then. The NVD entry is currently Analyzed.