CVE-2026-7820

EPSS 0.04%
Veröffentlicht 11.05.2026 16:17:39
Zuletzt bearbeitet 13.05.2026 15:34:13
Quelle f86ef6dc-4d3a-42ad-8f28-e6d554
CVE-Watchlists
Login
Unerledigt
Login

pgAdmin 4: Account-lockout bypass via Flask-Security default /login view

Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.

pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User model relied on Flask-Security's UserMixin.is_locked() (which always returns 'not locked') and Flask-Login's is_active (which only checks the active column, not locked). An attacker who triggered an account lockout via /authenticate/login could therefore obtain a session by re-submitting valid credentials directly to /login, defeating the brute-force-protection control for accounts using the INTERNAL authentication source. The same bypass also means that login attempts via /login are never rate-limited, so an attacker can perform an unbounded online password-guessing attack against INTERNAL accounts regardless of MAX_LOGIN_ATTEMPTS.

Fix overrides User.is_active and User.is_locked() so the locked column is enforced on every authentication path. LDAP, OAuth2, Kerberos, and Webserver users are not reachable by this bypass because they have no local password and are rejected by Flask-Security's LoginForm.validate before the locked check; the lockout itself is also internal-only (the /authenticate/login view filters by auth_source=INTERNAL).

This issue affects pgAdmin 4: before 9.15.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpgadmin.org

≫

Produkt pgAdmin 4

Default Statusaffected

Version 0

Version < 9.15

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.111

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/pgadmin-org/pgadmin4/issues/9904

https://nvd.nist.gov/vuln/detail/CVE-2026-7820

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-7820

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-7820

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-7820