CVE-2026-7817
Local File Inclusion and SSRF in pgAdmin 4 LLM API
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgadmin | pgadmin_4 | to 9.15 (exc) |
| pgadmin | pgadmin_4 | 9.13 |
| pgadmin | pgadmin_4 | 9.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7817 is a vulnerability in pgAdmin 4 versions 9.13 to 9.14 involving local file inclusion (LFI) and server-side request forgery (SSRF) in the LLM API configuration endpoints.
The issue occurs because user-supplied preferences for `api_key_file` and `api_url` are passed to LLM provider clients without proper validation.
An authenticated attacker could exploit this by specifying a malicious `api_key_file` path to read arbitrary server-side files or by manipulating `api_url` to coerce pgAdmin into making requests to internal targets, such as cloud metadata services.
The vulnerability affects the chat path and model-list endpoints.
The fix implemented in version 9.15 restricts `api_key_file` to the user's private storage or home directory, enforces a printable-ASCII key format with a 1024-byte read limit, and validates `api_url` against a configurable allow-list.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to read arbitrary files on the server running pgAdmin 4 by exploiting the local file inclusion flaw.
Additionally, the attacker can force pgAdmin to make unauthorized requests to internal network targets, such as cloud metadata services, through the server-side request forgery flaw.
These impacts could lead to exposure of sensitive information stored on the server or within internal network services, potentially compromising system security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your pgAdmin 4 instance is running a vulnerable version (9.13 to 9.14) and if the LLM API configuration endpoints are accessible to authenticated users.
You can attempt to detect exploitation attempts by monitoring requests to the chat path and model-list endpoints that include unusual or suspicious values for the api_key_file or api_url parameters.
For example, you might use network monitoring or web server logs to identify requests with parameters pointing to sensitive file paths or internal IP addresses such as 169.254.169.254.
Specific commands depend on your environment, but here are some general suggestions:
- Use grep or similar tools on web server logs to find suspicious requests: grep -i 'api_key_file' /var/log/pgadmin4/access.log
- Monitor network traffic for requests to internal IPs from pgAdmin 4: tcpdump -i any host 169.254.169.254
- Check the pgAdmin 4 version to confirm if it is vulnerable: pgadmin4 --version or check the installed package version.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade pgAdmin 4 to version 9.15 or later, where the vulnerability has been fixed.
The fix includes restricting the api_key_file parameter to the user's private storage or home directory, enforcing a printable-ASCII key format with a 1024-byte read cap, and validating api_url against a configurable allow-list.
If upgrading immediately is not possible, restrict access to the LLM API configuration endpoints to trusted users only and monitor for suspicious activity as a temporary measure.