CVE-2026-7818
published 2026-05-11CVE-2026-7818: Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file…
PriorityP345high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.13%
3.0th percentile
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity.
Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (rather than asserted) on empty SECRET_KEY so it is not stripped under -O.
This issue affects pgAdmin 4: before 9.15.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgadmin.org | pgadmin_4 | < 9.15 | 9.15 |
| pgadmin | pgadmin_4 | < 9.15 | 9.15 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager
ghsa·2026-05-11
CVE-2026-7818 [HIGH] CWE-502 pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager
pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity.
Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifi
GHSA
GHSA-4rhg-h8f2-v4jm: Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager
ghsa_unreviewed·2026-05-11
CVE-2026-7818 [HIGH] CWE-502 GHSA-4rhg-h8f2-v4jm: Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity.
Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (ra
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution [fedora-all]
bugzilla·2026-05-12·CVSS 7.3
CVE-2026-7818 [HIGH] CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution [fedora-all]
CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-68f6155fea (pgadmin4-9.15-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-68f6155fea
---
FEDORA-2026-1545df20ad (pgadmin4-9.15-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-1545df20ad
Bugzilla
CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution
bugzilla·2026-05-11·CVSS 7.3
CVE-2026-7818 [HIGH] CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution
CVE-2026-7818 pgadmin4: unsafe deserialization in file-backed session manager leads to remote code execution
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity.
Fix prepends a 64-byte hex SHA-256 HMAC over the session body, compute
2026-05-11
Published