CVE-2026-7818
Unsafe Deserialization in pgAdmin 4 FileBackedSessionManager
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgadmin | pgadmin_4 | to 9.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7818 is a vulnerability in pgAdmin 4's FileBackedSessionManager where unsafe deserialization of session files occurs. The session manager deserializes data from session files without first verifying their integrity using an HMAC check. This means that any file placed into the sessions directory is deserialized unconditionally.
An authenticated user with write access to the sessions directory can exploit this by planting a crafted serialized payload, which can lead to remote code execution (RCE) at the operating system level under the pgAdmin process identity.
The vulnerability affects all versions of pgAdmin 4 before version 9.15. The fix involves adding a 64-byte SHA-256 HMAC check before deserialization, encrypting session files at rest, restricting file permissions, and other security improvements.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the system running pgAdmin 4. An attacker who is authenticated and has write access to the sessions directory can execute arbitrary code with the privileges of the pgAdmin process.
Such an exploit could allow the attacker to take control of the system, potentially leading to data theft, system compromise, or further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of pgAdmin 4 versions prior to 9.15 and verifying if the FileBackedSessionManager is deserializing session files without HMAC integrity checks.
Since the vulnerability requires an authenticated user with write access to the sessions directory, inspecting the permissions of the sessions directory and monitoring for unexpected file writes or modifications can help detect exploitation attempts.
Suggested commands to assist detection include:
- Check pgAdmin 4 version: `pgadmin4 --version` or check installed package version via your package manager.
- List permissions of the sessions directory to identify if unauthorized users have write access: `ls -ld /path/to/pgadmin/sessions`
- Monitor for unexpected or suspicious files in the sessions directory: `ls -l /path/to/pgadmin/sessions`
- Use file integrity monitoring tools or commands like `inotifywait` to watch for new or modified session files.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading pgAdmin 4 to version 9.15 or later, where the vulnerability is fixed by adding a SHA-256 HMAC integrity check before deserialization.
Additionally, restrict write permissions to the sessions directory to prevent unauthorized users from placing malicious serialized payloads.
Other recommended mitigations include encrypting session files at rest and applying security best practices to limit access to the pgAdmin process and its files.