CVE-2026-7818

EPSS 0.28%
Veröffentlicht 11.05.2026 16:17:38
Zuletzt bearbeitet 13.05.2026 15:34:13
Quelle f86ef6dc-4d3a-42ad-8f28-e6d554
CVE-Watchlists
Login
Unerledigt
Login

pgAdmin 4: Unsafe deserialization (CWE-502) in file-backed session manager leads to remote code execution

Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.

The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity.

Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (rather than asserted) on empty SECRET_KEY so it is not stripped under -O.

This issue affects pgAdmin 4: before 9.15.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpgadmin.org

≫

Produkt pgAdmin 4

Default Statusaffected

Version 0

Version < 9.15

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.511

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	7.3	0	0	CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/pgadmin-org/pgadmin4/issues/9901

https://nvd.nist.gov/vuln/detail/CVE-2026-7818

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-7818

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-7818

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-7818