PatchSiren cyber security CVE debrief
CVE-2026-7818 pgadmin.org CVE debrief
pgAdmin 4 versions before 9.15 contain a deserialization vulnerability in the FileBackedSessionManager component. The session manager performed unsafe deserialization of session file contents using Python's standard pickle module before verifying HMAC integrity. This allowed any file placed in the sessions directory to be deserialized unconditionally. An authenticated user with write access to the sessions directory—whether through misconfiguration or combined with a path-traversal vulnerability—could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity. The fix implements a 64-byte hex-encoded SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it using hmac.compare_digest before any deserialization occurs. The integrity check is implemented as a raised exception rather than an assertion to prevent bypass under Python's -O optimization flag.
- Vendor
- pgadmin.org
- Product
- pgAdmin 4
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-05-26
Who should care
Organizations running pgAdmin 4 versions prior to 9.15, particularly those with multi-user deployments, shared hosting environments, or configurations where the sessions directory may be accessible to authenticated users. Security teams should prioritize patching due to the high impact of successful exploitation (complete system compromise under pgAdmin process identity) and the realistic attack vector through directory misconfiguration or chained path-traversal vulnerabilities.
Technical summary
The FileBackedSessionManager in pgAdmin 4 before 9.15 used Python's pickle module to deserialize session data from files without first verifying cryptographic integrity. Session files were deserialized unconditionally, allowing an attacker with write access to the sessions directory to achieve arbitrary code execution. The remediation adds a 64-byte hex-encoded SHA-256 HMAC computed with SECRET_KEY, verified via hmac.compare_digest before deserialization, with proper exception handling to prevent bypass under optimized Python execution.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pgAdmin 4 to version 9.15 or later to obtain the HMAC-SHA-256 integrity verification fix
- Verify that the pgAdmin SECRET_KEY configuration value is set to a cryptographically strong, non-empty value
- Restrict filesystem permissions on the pgAdmin sessions directory to prevent unauthorized write access
- Monitor sessions directory for unexpected files or modifications
- Review pgAdmin deployment configurations to ensure sessions directory is not accessible via path-traversal or other file upload vulnerabilities
- If immediate patching is not possible, consider implementing additional access controls or network segmentation to limit pgAdmin exposure
Evidence notes
CVE published 2026-05-11; NVD analysis modified 2026-05-26. Vendor advisory and patch available via GitHub issue #9901. CVSS 4.0 vector: AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. CWE-502 (Deserialization of Untrusted Data).
Official resources
-
CVE-2026-7818 CVE record
CVE.org
-
CVE-2026-7818 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 - Issue Tracking, Patch, Vendor Advisory
2026-05-11