PatchSiren cyber security CVE debrief
CVE-2026-12046 pgadmin.org CVE debrief
A critical vulnerability was discovered in pgAdmin 4's SQL Editor blueprint, specifically in the DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> endpoints. These endpoints were missing the @pga_login_required decorator, making them accessible without authentication in server mode. This vulnerability, a missing-authentication-on-critical-function (CWE-306) wrapper around a deserialization-of-untrusted-data sink (CWE-502), could allow for remote code execution if an attacker possesses the Flask SECRET_KEY and has write access to pgAdmin's sessions/ directory. The defect is server-mode only and does not affect DESKTOP mode. The fix involves adding the @pga_login_required decorator to both endpoints.
- Vendor
- pgadmin.org
- Product
- pgAdmin 4
- CVSS
- CRITICAL 9.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-07-01
Who should care
pgAdmin 4 users, particularly those running the application in server mode, should be aware of this critical vulnerability. The vulnerability affects pgAdmin 4 versions from 6.9 before 9.16. Users should apply the patch by updating to version 9.16 or later and review their Flask SECRET_KEY and access controls.
Technical summary
The vulnerability is caused by two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint that are missing the @pga_login_required decorator. This allows an attacker to access the endpoints without authentication in server mode, potentially leading to remote code execution. The endpoints reach a pickle.loads sink on session['gridData'][<trans_id>]['command_obj'], which can be exploited if an attacker has the Flask SECRET_KEY and write access to pgAdmin's sessions/ directory. The affected versions of pgAdmin 4 are from 6.9 before 9.16.
Defensive priority
High
Recommended defensive actions
- Apply the patch by updating pgAdmin 4 to version 9.16 or later
- Review and update the Flask SECRET_KEY to prevent unauthorized access
- Restrict write access to pgAdmin's sessions/ directory
- Monitor for suspicious activity in server mode
- Perform a thorough review of the system for potential compromises
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-19T00:16:46.873Z and last modified on 2026-07-01T19:27:45.763Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus. Further verification and defensive checks are recommended.
Official resources
-
CVE-2026-12046 CVE record
CVE.org
-
CVE-2026-12046 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Patch
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Issue Tracking, Patch, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:46.873Z and has not been modified since then. The NVD entry is currently Analyzed.