CVE-2026-1707Improper Access Control in Pgadmin 4

CWE-284Improper Access ControlCWE-639Authorization Bypass Through User-Controlled Key5 documents5 sources
Severity
6.3MEDIUMNVD
CNA7.4
EPSS
0.0%
top 93.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pgadmin.org Pgadmin 4Pgadmin 4
Timeline
PublishedFeb 5

Description

pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict `. This results in reliable command executi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

CVEListV5pgadmin.org/pgadmin_49.11

🔴Vulnerability Details

3
CVEList
Restore restriction bypass via key disclosure vulnerability (pgAdmin 4)2026-02-05
GHSA
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability2026-02-05
OSV
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability2026-02-05

🕵️Threat Intelligence

1
Wiz
CVE-2026-1707 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-1707 — Improper Access Control in Pgadmin 4 | cvebase