CVE-2026-7818
Analyzed Analyzed - Analysis Complete
Unsafe Deserialization in pgAdmin 4 FileBackedSessionManager

Publication date: 2026-05-11

Last updated on: 2026-05-26

Assigner: PostgreSQL

Description
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager. The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions directory was deserialized unconditionally. An authenticated user with write access to the sessions directory (whether by misconfiguration or in combination with another path-traversal flaw) could plant a crafted serialized payload to achieve operating-system level remote code execution under the pgAdmin process identity. Fix prepends a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifies it via hmac.compare_digest before any deserialization. The check is raised (rather than asserted) on empty SECRET_KEY so it is not stripped under -O. This issue affects pgAdmin 4: before 9.15.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-26
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-7818
EUVD
EUVD-2026-29086
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgadmin pgadmin_4 to 9.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote code execution through unsafe deserialization of session files, which could lead to unauthorized access or manipulation of sensitive data handled by pgAdmin 4.

Such unauthorized access or data compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and health information from unauthorized access or breaches.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Executive Summary

CVE-2026-7818 is a vulnerability in pgAdmin 4's FileBackedSessionManager where unsafe deserialization of session files occurs. The session manager deserializes data from session files without first verifying their integrity using an HMAC check. This means that any file placed into the sessions directory is deserialized unconditionally.

An authenticated user with write access to the sessions directory can exploit this by planting a crafted serialized payload, which can lead to remote code execution (RCE) at the operating system level under the pgAdmin process identity.

The vulnerability affects all versions of pgAdmin 4 before version 9.15. The fix involves adding a 64-byte SHA-256 HMAC check before deserialization, encrypting session files at rest, restricting file permissions, and other security improvements.

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the system running pgAdmin 4. An attacker who is authenticated and has write access to the sessions directory can execute arbitrary code with the privileges of the pgAdmin process.

Such an exploit could allow the attacker to take control of the system, potentially leading to data theft, system compromise, or further attacks within the network.

Detection Guidance

Detection of this vulnerability involves checking for the presence of pgAdmin 4 versions prior to 9.15 and verifying if the FileBackedSessionManager is deserializing session files without HMAC integrity checks.

Since the vulnerability requires an authenticated user with write access to the sessions directory, inspecting the permissions of the sessions directory and monitoring for unexpected file writes or modifications can help detect exploitation attempts.

Suggested commands to assist detection include:

  • Check pgAdmin 4 version: `pgadmin4 --version` or check installed package version via your package manager.
  • List permissions of the sessions directory to identify if unauthorized users have write access: `ls -ld /path/to/pgadmin/sessions`
  • Monitor for unexpected or suspicious files in the sessions directory: `ls -l /path/to/pgadmin/sessions`
  • Use file integrity monitoring tools or commands like `inotifywait` to watch for new or modified session files.
Mitigation Strategies

Immediate mitigation steps include upgrading pgAdmin 4 to version 9.15 or later, where the vulnerability is fixed by adding a SHA-256 HMAC integrity check before deserialization.

Additionally, restrict write permissions to the sessions directory to prevent unauthorized users from placing malicious serialized payloads.

Other recommended mitigations include encrypting session files at rest and applying security best practices to limit access to the pgAdmin process and its files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7818. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart