PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7817 pgadmin.org CVE debrief

CVE-2026-7817 documents Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities in pgAdmin 4's LLM API configuration endpoints. The issue stems from insufficient validation of user-supplied `api_key_file` and `api_url` preferences, which were passed directly to LLM provider clients without sanitization. An authenticated attacker could exploit this to read arbitrary files readable by the pgAdmin process by manipulating the `api_key_file` path, or coerce the application into making requests to internal network targets—including cloud metadata services such as 169.254.169.254—by setting a malicious `api_url`. The vulnerable endpoints include the chat path and model-list functionality. The fix implements path restriction for `api_key_file` to user-private storage in server mode or the home directory in desktop mode, enforces printable-ASCII key validation with a 1024-byte read limit, and introduces a configurable allow-list (`config.ALLOWED_LLM_API_URLS`) to gate all `api_url` inputs. Affected versions span from 9.13 up to but not including 9.15. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and high confidentiality impact.

Vendor
pgadmin.org
Product
pgAdmin 4
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-11
Original CVE updated
2026-05-26
Advisory published
2026-05-11
Advisory updated
2026-05-26

Who should care

Database administrators operating pgAdmin 4 instances, security teams managing PostgreSQL infrastructure, DevOps engineers deploying pgAdmin in containerized or cloud environments, and organizations utilizing pgAdmin 4's LLM integration features for AI-assisted database operations.

Technical summary

The vulnerability exists in pgAdmin 4's LLM integration feature where two user-configurable preferences—`api_key_file` and `api_url`—were processed without adequate validation. The `api_key_file` parameter accepted arbitrary file paths, enabling authenticated users to specify sensitive system files (e.g., `/etc/passwd`, application configuration files, or SSH keys) that the pgAdmin process could read and potentially expose through error messages or LLM provider responses. The `api_url` parameter accepted arbitrary URLs without scheme, host, or IP restrictions, allowing attackers to redirect LLM API requests to internal infrastructure. This SSRF vector specifically enables access to cloud instance metadata services at 169.254.169.254, which could yield IAM credentials, network configuration, or other sensitive cloud metadata. The chat and model-list endpoints served as the primary exploitation paths. The remediation restricts `api_key_file` to sandboxed user directories, implements content validation (printable-ASCII, size limits), and enforces URL allow-listing through `ALLOWED_LLM_API_URLS` configuration at all entry points.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade pgAdmin 4 to version 9.15 or later to obtain the security fix
  • If immediate patching is not feasible, restrict pgAdmin 4 access to trusted administrative users only
  • Review and configure the ALLOWED_LLM_API_URLS setting to explicitly define permitted LLM API endpoints
  • Monitor pgAdmin 4 application logs for suspicious api_key_file or api_url configuration changes
  • Audit existing pgAdmin 4 user preferences for any unauthorized LLM API configuration modifications
  • Ensure pgAdmin 4 server processes run with minimal file system privileges to reduce LFI impact
  • Block outbound network access from pgAdmin 4 hosts to cloud metadata IP ranges (169.254.169.254/32) at the network layer if not required

Evidence notes

Vulnerability description and fix details sourced from NVD record. CPE criteria confirm affected versions 9.13 through versions before 9.15. Vendor advisory and patch information available via GitHub issue reference.

Official resources

2026-05-11