CVE-2026-7820
Authentication Bypass in pgAdmin 4 via Flask-Security
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgadmin | pgadmin_4 | to 9.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7820 is a vulnerability in pgAdmin 4 related to improper restriction of excessive authentication attempts. The issue occurs because pgAdmin only enforced the maximum login attempts limit in its custom /authenticate/login view, but not in Flask-Security's default /login view. The default /login view did not properly check if a user account was locked, allowing attackers to bypass account lockouts by submitting valid credentials directly to /login after triggering a lockout via /authenticate/login.
This means that login attempts through the default /login view are not rate-limited, enabling attackers to perform unlimited password-guessing attacks against accounts using the INTERNAL authentication source. The vulnerability affects pgAdmin 4 versions before 9.15 and was fixed by overriding user status checks to enforce account lockouts on all authentication paths.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass account lockout protections and perform unlimited online password-guessing attacks against INTERNAL authentication accounts in pgAdmin 4. As a result, attackers may gain unauthorized access to user accounts by repeatedly trying passwords without being blocked or rate-limited.
Such unauthorized access could lead to compromise of sensitive database management functions and data accessible through pgAdmin, potentially impacting the security and integrity of your database environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing account lockout protections by submitting valid credentials directly to the Flask-Security default /login view after triggering a lockout via the /authenticate/login view. Detection involves monitoring for unusual authentication patterns, such as repeated login attempts to the /login endpoint that exceed the expected MAX_LOGIN_ATTEMPTS limit.
You can detect potential exploitation by analyzing web server logs for repeated POST requests to the /login endpoint from the same IP address or user account, especially following lockout events triggered via /authenticate/login.
Suggested commands to help detect this activity might include:
- Using grep or similar tools to search web server logs for repeated /login attempts: grep -i '/login' /path/to/access.log | awk '{print $1}' | sort | uniq -c | sort -nr
- Monitoring for rapid or excessive login attempts from the same IP address or user: awk '$7 ~ "/login" {print $1}' /path/to/access.log | sort | uniq -c | sort -nr
- Using fail2ban or similar intrusion detection tools configured to watch the /login endpoint for brute-force patterns.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade pgAdmin 4 to version 9.15 or later, where the vulnerability has been fixed by overriding User.is_active and User.is_locked() to enforce the locked column on all authentication paths.
Until the upgrade can be applied, consider restricting access to the /login endpoint or implementing additional rate limiting and monitoring on this endpoint to prevent unbounded password guessing.
Additionally, review authentication logs regularly to detect suspicious login attempts and consider temporarily disabling INTERNAL authentication if feasible.