CVE-2026-12049
Received Received - Intake
Open Redirect in pgAdmin 4 MFA Flow

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: PostgreSQL

Description
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow. The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim. Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC. This issue affects pgAdmin 4: from 6.0 before 9.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-12049
EUVD
EUVD-2026-37969
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgadmin pgadmin_4 to 9.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an open redirect issue in pgAdmin 4's multi-factor authentication (MFA) flow. Specifically, the MFA validate and register endpoints accepted a user-supplied 'next' parameter without verifying that the redirect target was within the trusted pgAdmin domain. As a result, an authenticated user clicking a specially crafted link with a 'next' parameter pointing to an external, attacker-controlled site could be redirected outside the trusted authentication flow.

The vulnerability does not allow attackers to bypass privileges or gain direct access to pgAdmin or the victim's database. Instead, it enables attackers to increase the success of credential phishing attacks by making the phishing link appear to come from the trusted pgAdmin domain.

The fix involves introducing a helper function that validates redirect URLs to ensure they are either relative paths or absolute URLs pointing to the same host with http(s) schemes. Unsafe redirects are rejected and users are redirected internally instead.

Impact Analysis

This vulnerability can impact you by increasing the risk of successful credential phishing attacks. Because the redirect appears to come from the trusted pgAdmin domain, attackers can craft links that redirect authenticated users to malicious external sites after login.

While the attacker does not gain direct access to your pgAdmin account or database, the phishing attack could trick you into revealing sensitive credentials or other information on attacker-controlled sites.

Detection Guidance

This vulnerability involves an open redirect in pgAdmin 4's multi-factor authentication flow where the 'next' parameter can redirect users to external attacker-controlled URLs.

To detect exploitation attempts on your network or system, monitor HTTP requests to the /mfa/validate and /mfa/register endpoints that include a 'next' query or form parameter pointing to external or suspicious URLs.

You can use network monitoring or web server logs to identify such requests. For example, using command-line tools like grep on your web server logs to find suspicious redirects:

  • grep -i '/mfa/validate' /path/to/pgadmin/access.log | grep 'next=http'
  • grep -i '/mfa/register' /path/to/pgadmin/access.log | grep 'next=http'

Additionally, inspecting logs for unusual redirect URLs or patterns that do not match your pgAdmin host can help identify potential abuse.

Mitigation Strategies

To mitigate this vulnerability immediately, ensure that your pgAdmin 4 installation is updated to version 9.16 or later, where the fix has been implemented.

The fix introduces a helper function that validates the 'next' parameter to allow only safe internal redirects and rejects unsafe external URLs.

If updating immediately is not possible, consider implementing network-level controls to block or monitor suspicious redirect attempts to external URLs from the MFA endpoints.

Educate users to be cautious of phishing links that exploit this redirect behavior.

Compliance Impact

This vulnerability is an open redirect in pgAdmin 4's multi-factor authentication flow that can be exploited to redirect authenticated users to attacker-controlled sites, increasing the risk of credential phishing.

While the attacker does not gain direct access to pgAdmin or the victim's database, the increased risk of phishing could potentially lead to unauthorized access to sensitive data.

Such phishing risks may indirectly impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data and mandate measures to prevent unauthorized access.

However, the vulnerability itself is a trusted-domain redirect issue and does not directly expose data or bypass privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12049. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart