HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12046Published Modified CNA PostgreSQL

CVE-2026-12046: pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution

Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> -- were the only routes in the module missing the @pga_login_required decorator. Both reach a pickle.loads sink on session['gridData'][<trans_id>]['command_obj']: the close endpoint via close_sqleditor_session(), and update_sqleditor_connection via check_transaction_status(). In server mode these endpoints were reachable without any authenticated pgAdmin session. The defect is a missing-authentication-on-critical-function (CWE-306) wrapper around a deserialization-of-untrusted-data sink (CWE-502). Exploiting it for remote code execution requires the attacker to also forge a server-side session file whose gridData entry contains a malicious pickle payload, which in turn requires both (a) knowledge of pgAdmin's Flask SECRET_KEY (no chain to leak it is described here -- the attacker must already possess it) and (b) write access to pgAdmin's sessions/ directory on the host. Neither precondition is granted by this defect on its own. When those preconditions are met from another channel (misconfigured deployment, prior compromise, leaked configuration), the missing auth gate is the final hop that turns an existing partial compromise into unauthenticated code execution in the pgAdmin process -- and, by extension, on the host under whatever account runs pgAdmin. Fix is a one-line @pga_login_required decorator on each of the two endpoints, matching the convention used by every other route in the module. The is_authenticated / MFA chain now runs before the trans_id is dereferenced, so an unauthenticated request is rejected before reaching the deserialization path. The defect is server-mode only. In DESKTOP mode pgAdmin's before_request hook re-authenticates DESKTOP_USER on every request, so no endpoint can be exercised in an unauthenticated state and no auth decorator (or its absence) is meaningful. The accompanying regression test mirrors the attacker's path -- harvests an X-pgA-CSRFToken from GET /login and replays it against both endpoints -- and self-skips outside server mode for that reason; it is wired into the existing server-mode CI workflow alongside the data-isolation tests. This issue affects pgAdmin 4: from 6.9 before 9.16.

Metrics

CVSS v4.0
9.5
Severity
CRITICAL
Fixed in
9.16
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated pickle deserialization vulnerability affects pgAdmin 4 (versions 6.9 through 9.15) running in server mode. Two SQL Editor endpoints were missing the standard authentication decorator, allowing an attacker who already possesses the Flask SECRET_KEY and write access to the sessions directory to reach a pickle.loads sink without a valid pgAdmin session, turning a partial compromise into unauthenticated remote code execution under the pgAdmin process account. A patched-image rebuild at version 9.16 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that package pgAdmin 4. Any image layer containing a pgAdmin 4 installation between version 6.9 and 9.15 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.5 (Critical, CVSS v4.0) and can apply per-environment compliance policy weighting to adjust alert priority before routing findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at pgAdmin 4 version 9.16 becomes available through HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The two vulnerable endpoints are exposed over the network in pgAdmin server mode, so the attacker must be able to send HTTP requests to the pgAdmin server to reach the unauthenticated deserialization path.

  • AuthenticationNot required

    No pgAdmin session or credentials are required to invoke the affected endpoints; the missing @pga_login_required decorator is precisely what this CVE addresses.

  • Victim interactionNot required

    Exploitation is fully server-side and does not require any action from a logged-in user or administrator.

  • Attack complexityDetail

    The CVSS v4.0 vector records AC:L (reliable, condition-free exploit mechanics at the network layer) but AT:P (attack requires specific preconditions: possession of the Flask SECRET_KEY and write access to the sessions directory), so successful RCE depends on meeting those preconditions through a separate channel.

Blast Radius

  • An attacker who meets the preconditions executes arbitrary code inside the pgAdmin process under the OS account that runs pgAdmin, with no authentication required.
  • All data accessible to that OS account on the host, including database credentials stored in pgAdmin's configuration and any connected PostgreSQL instances, is readable and modifiable.
  • The attacker can write, delete, or exfiltrate files on the host filesystem within the permissions of the pgAdmin process account.
  • System confidentiality, integrity, and availability are all fully compromised at both the pgAdmin application layer and, through connected database credentials, potentially at the downstream database layer (CVSS v4.0 SC:H/SI:H/SA:H).

How HarborGuard Handles This

Available on HarborGuard: images containing pgAdmin 4 between versions 6.9 and 9.15 are matched against this CVE within minutes of advisory ingestion, covering both upstream base images and custom-built images that bundle pgAdmin. Triage is scored at CVSS 9.5 Critical and routed according to each organization's compliance policy. A patched rebuild at version 9.16 becomes available immediately upon detection; for customers with auto-remediation enabled, HarborGuard triggers the rebuild, runs regression tests, and opens a PR against affected workloads. Given the Critical severity, median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Because exploitation requires two external preconditions (Flask SECRET_KEY exposure and write access to the sessions directory), teams who cannot patch immediately should audit pgAdmin deployment configurations to ensure the SECRET_KEY is not present in environment variables or config files accessible to other processes, restrict filesystem permissions on the pgAdmin sessions/ directory, and consider placing the pgAdmin server behind a network policy that limits inbound HTTP access to trusted source addresses only.

See how HarborGuard automates this

Fix available

9.16
Patch commits
Affected packages
  • pgadmin.org / pgAdmin 4
    < 9.16 (from 6.9)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References