PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12049 pgadmin.org CVE debrief

An open redirect vulnerability was found in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honored the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin. This could allow an authenticated victim who clicked a link typically delivered by phishing to be sent to an attacker-controlled host directly out of the trusted auth flow.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-19
Original CVE updated
2026-06-29
Advisory published
2026-06-19
Advisory updated
2026-06-29

Who should care

Users of pgAdmin 4, especially those who use multi-factor authentication, should be aware of this vulnerability and take steps to protect themselves. This vulnerability could be used in phishing attacks to launder the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.

Technical summary

The vulnerability is an open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honored the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin. This could allow an attacker to launder their destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim. The fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it.

Defensive priority

Medium

Recommended defensive actions

  • Apply the patch to update pgAdmin 4 to version 9.16 or later
  • Use a web application firewall to detect and prevent open redirect attacks
  • Educate users about phishing attacks and the importance of verifying URLs before clicking on them
  • Monitor for suspicious activity and implement additional security measures as needed
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-19T00:16:47.367Z and was last modified on 2026-06-29T15:16:21.470Z. The NVD entry is currently Analyzed. This open redirect vulnerability in pgAdmin 4's multi-factor authentication flow allows an attacker to launder their destination through pgAdmin's URL, raising the success rate of credential-phishing follow-on against the victim. Users should verify URLs before clicking on them and be cautious of phishing attacks. The fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.367Z and has not been modified since then. The NVD entry is currently Analyzed.