CVE-2026-7813
published 2026-05-11CVE-2026-7813: Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple…
PriorityP267critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.46%
36.2th percentile
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs.
Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner edits mutated the owner's record.
Fix centralises access control via a new server_access module, scopes all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is denied in server mode, suppresses owner-only fields for non-owners across the merge / API response / ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull requests; both are referenced.
This issue affects pgAdmin 4: before 9.15.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | < 9.15 | 9.15 |
| pgadmin | pgadmin_4 | < 9.15 | 9.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authenticated users can access another user's private servers, server groups, background processes, and debugger function arguments by guessing (enumerating) integer object IDs — monitor for sequential or anomalous cross-user object ID access patterns on pgAdmin 4 API endpoints in server mode. ↗
- →Monitor pgAdmin 4 API responses for unexpected exposure of owner-only fields: passexec_cmd, passexec_expiration, db_res, db_res_type, passfile, SSL keys — their presence in responses to non-owner sessions indicates exploitation of credential leakage. ↗
- →Alert on API write requests (PUT/PATCH) from non-owner authenticated users attempting to set the fields passexec_cmd, passexec_expiration, db_res, or db_res_type on Shared Server objects — these fields should be owner-only and writes by non-owners indicate privilege escalation attempts. ↗
- →Treat any non-owner modification of passexec_cmd (a shell command executed when establishing the connection) as a critical indicator of attempted arbitrary command execution in the server owner's process context. ↗
- →In patched pgAdmin 4 (>=9.15), the connection_manager returns HTTP 410 when access is denied in server mode — alert on HTTP 410 responses from pgAdmin connection_manager endpoints as they indicate blocked cross-user access attempts, which may signal active exploitation probing. ↗
- →Monitor for non-owner edits to the fields kerberos_conn, tags, and post_connection_sql on Shared Server objects — these lacked per-user persistence and non-owner edits directly mutated the owner's record, indicating data corruption or persistence abuse. ↗
- ·Vulnerability only affects pgAdmin 4 running in server mode — desktop/single-user mode deployments are not impacted. ↗
- ·All pgAdmin 4 versions before 9.15 are vulnerable; the fix was introduced in pgAdmin 4 version 9.15 via two pull requests centralising access control in a new server_access module with UserScopedMixin. ↗
- ·The fix landed in two separate pull requests; operators should verify both are present when validating patch completeness. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h2x2-q2mc-24gw: Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
ghsa_unreviewed·2026-05-11
CVE-2026-7813 [CRITICAL] CWE-284 GHSA-h2x2-q2mc-24gw: Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs.
Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's process context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only field
GHSA
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
ghsa·2026-05-11
CVE-2026-7813 [CRITICAL] CWE-284 pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs.
Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) al
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode [fedora-all]
bugzilla·2026-05-12·CVSS 9.4
CVE-2026-7813 [CRITICAL] CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode [fedora-all]
CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-68f6155fea (pgadmin4-9.15-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-68f6155fea
---
FEDORA-2026-1545df20ad (pgadmin4-9.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-1545df20ad
Bugzilla
CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode
bugzilla·2026-05-11·CVSS 9.4
CVE-2026-7813 [CRITICAL] CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode
CVE-2026-7813 pgadmin4: cross-user data access and shared-server privilege escalation in server mode
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's private servers, server groups, background processes, and debugger function arguments by guessing object IDs.
Additionally, the Shared Servers feature contained multiple issues including credential leakage (passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command executed when establishing the connection) allowing arbitrary command execution in the owner's
2026-05-11
Published