CVE-2026-7819
pgAdmin · pgAdmin 4
A symbolic-link path traversal vulnerability in the pgAdmin 4 File Manager allows authenticated users to access or manipulate unauthorized files.
Executive summary
A path traversal vulnerability in pgAdmin 4 exposes the application to unauthorized file system access, potentially leading to critical data integrity issues.
Vulnerability
This is a path traversal vulnerability (CWE-22, CWE-61) within the File Manager component. It requires the attacker to have low-level privileges (PR:L) to interact with the file management functions, where they can manipulate symbolic links to bypass directory restrictions.
Business impact
The vulnerability carries a CVSS score of 8.1 (High), primarily due to the potential for significant impact on file integrity and availability. An attacker successfully exploiting this flaw could read or overwrite sensitive configuration or database files, leading to unauthorized data exposure or complete service disruption.
Remediation
Immediate Action: Update pgAdmin 4 to version 9.15 or later immediately.
Proactive Monitoring: Review application logs for unusual file access patterns or attempts to traverse outside of designated directories.
Compensating Controls: Ensure that the service account running pgAdmin 4 follows the principle of least privilege, restricting its file system access to only the necessary directories required for operation.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the severity of this vulnerability, organizations should prioritize patching their pgAdmin 4 instances to version 9.15. Failure to address this flaw leaves the underlying database environment vulnerable to unauthorized file system manipulation by authenticated users.