PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7813 pgadmin.org CVE debrief

pgAdmin 4 server mode contains multiple authorization flaws allowing authenticated users to access and modify other users' private resources. Affected modules include Server Groups, Servers, Shared Servers, Background Processes, and Debugger. The core issue is missing user-scoped filtering on object retrieval endpoints, enabling ID-guessing attacks to access private servers, server groups, background processes, and debugger function arguments belonging to other users. The Shared Servers feature compounds this with credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd enabling arbitrary command execution in the owner's process context, and owner-data corruption through SQLAlchemy session mutations. Multiple owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners, while fields lacking per-user persistence (kerberos_conn, tags, post_connection_sql) caused non-owner edits to mutate owner records. The fix introduces centralized access control via a new server_access module, UserScopedMixin for all user-owned models, HTTP 410 responses from connection_manager for denied access in server mode, suppression of owner-only fields for non-owners across merge/API response/ServerManager paths, and explicit owner-only write guards. Remediation was delivered across two pull requests. Affected versions are pgAdmin 4 before 9.15.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-11
Original CVE updated
2026-05-26
Advisory published
2026-05-11
Advisory updated
2026-05-26

Who should care

Organizations running pgAdmin 4 in server mode with multiple authenticated users; database administrators managing shared server configurations; security teams monitoring for lateral movement and privilege escalation in database management tools; compliance officers responsible for access control and data segregation requirements.

Technical summary

The vulnerability stems from missing authorization checks on endpoints retrieving user-owned objects. In server mode, object IDs were not validated against the requesting user's identity, allowing authenticated users to enumerate and access other users' Server Groups, Servers, Background Processes, and Debugger data through predictable ID sequences. The Shared Servers feature introduced additional attack surface: passexec_cmd (a shell command executed during connection establishment) was both readable and writable by non-owners, enabling credential theft and arbitrary command execution in the owner's security context. Owner-only fields lacked proper write guards, and fields without per-user persistence caused destructive cross-user modifications. The remediation architecture introduces a server_access module for centralized authorization, UserScopedMixin for consistent user-scoped queries, HTTP 410 denial responses, field suppression for non-owners, and explicit write guards on sensitive owner-only attributes.

Defensive priority

CRITICAL

Recommended defensive actions

  • Upgrade pgAdmin 4 to version 9.15 or later to obtain the centralized access control fixes
  • Review server mode deployments for unauthorized access patterns in audit logs, particularly around Server Groups, Shared Servers, Background Processes, and Debugger modules
  • Audit existing Shared Server configurations for potential credential exposure or unauthorized modifications to passexec_cmd, passfile, SSL keys, and other sensitive fields
  • Verify that non-owner users cannot view or modify owner-only fields including passexec_cmd, passexec_expiration, db_res, and db_res_type
  • Monitor for HTTP 410 responses from connection_manager as indicators of access control enforcement
  • Review SQLAlchemy session handling for data persistence issues affecting kerberos_conn, tags, and post_connection_sql fields

Evidence notes

Authorization bypass via missing user-scoped filtering on object retrieval endpoints. Credential leakage and privilege escalation in Shared Servers feature through writable passexec_cmd field. Data corruption via SQLAlchemy session mutations affecting fields without per-user persistence.

Official resources

CVE-2026-7813 was published on 2026-05-11 and last modified on 2026-05-26. The vulnerability affects pgAdmin 4 versions prior to 9.15. No known exploitation in ransomware campaigns has been reported.