PatchSiren cyber security CVE debrief
CVE-2026-12049 pgadmin.org CVE debrief
An open redirect vulnerability was found in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honored the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin. This could allow an authenticated victim who clicked a link typically delivered by phishing to be sent to an attacker-controlled host directly out of the trusted auth flow.
- Vendor
- pgadmin.org
- Product
- pgAdmin 4
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-19
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-19
- Advisory updated
- 2026-06-29
Who should care
Users of pgAdmin 4, especially those who use multi-factor authentication, should be aware of this vulnerability and take steps to protect themselves. This vulnerability could be used in phishing attacks to launder the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.
Technical summary
The vulnerability is an open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honored the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin. This could allow an attacker to launder their destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim. The fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it.
Defensive priority
Medium
Recommended defensive actions
- Apply the patch to update pgAdmin 4 to version 9.16 or later
- Use a web application firewall to detect and prevent open redirect attacks
- Educate users about phishing attacks and the importance of verifying URLs before clicking on them
- Monitor for suspicious activity and implement additional security measures as needed
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-19T00:16:47.367Z and was last modified on 2026-06-29T15:16:21.470Z. The NVD entry is currently Analyzed. This open redirect vulnerability in pgAdmin 4's multi-factor authentication flow allows an attacker to launder their destination through pgAdmin's URL, raising the success rate of credential-phishing follow-on against the victim. Users should verify URLs before clicking on them and be cautious of phishing attacks. The fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it.
Official resources
-
CVE-2026-12049 CVE record
CVE.org
-
CVE-2026-12049 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Patch
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Issue Tracking, Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-19T00:16:47.367Z and has not been modified since then. The NVD entry is currently Analyzed.