CVE-2026-7813: Critical Authorization Bypass in pgAdmin 4 Server Mode
The National Vulnerability Database (NVD) has detailed CVE-2026-7813, a critical authorization vulnerability in pgAdmin 4’s server mode. This flaw, scoring a CVSS 9.9, allows authenticated users to access private server groups, servers, background processes, and debugger function arguments belonging to other users. The core issue, according to NVD, stems from multiple endpoints failing to filter user-owned objects based on the requesting user’s identity, making it possible to guess object IDs for unauthorized access.
Further compounding the risk, NVD reports that the Shared Servers feature in pgAdmin 4 contained multiple critical issues. These include credential leakage (e.g., passexec_cmd, passfile, SSL keys) and a privilege escalation vector. Attackers could achieve arbitrary command execution in the owner’s process context via writable passexec_cmd fields. Additionally, non-owners could corrupt owner data through SQLAlchemy session mutations, and several owner-only fields were writable via the API, leading to persistent mutation of owner records.
This vulnerability impacts pgAdmin 4 versions prior to 9.15. The fix centralizes access control through a new server_access module, scopes user-owned models with a UserScopedMixin, and implements explicit owner-only write guards. This isn’t just a data visibility issue; it’s a full-blown privilege escalation and potential RCE path. Defenders need to understand that an attacker doesn’t need to be an administrator, just an authenticated user within the system, to exploit this.
What This Means For You
- If your organization uses pgAdmin 4 in server mode, this is a five-alarm fire. You need to immediately identify all pgAdmin 4 instances and verify they are patched to version 9.15 or later. Prior versions are critically vulnerable to unauthorized access, credential theft, and arbitrary code execution. Assume any authenticated user could have escalated privileges or accessed sensitive data. Audit logs for unusual activity, especially around shared server configurations or debugger usage.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7813: pgAdmin 4 Unauthorized Access to Server Objects
title: CVE-2026-7813: pgAdmin 4 Unauthorized Access to Server Objects
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects attempts to access pgAdmin 4 server objects (Server Groups, Servers, Shared Servers, Background Processes, Debugger) without proper authorization. This rule specifically targets the endpoints known to be vulnerable in CVE-2026-7813 where object IDs were not properly filtered by the requesting user's identity, allowing authenticated users to access other users' private data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7813/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/server/details'
- '/server/group/details'
- '/shared/servers/details'
- '/background/processes/details'
- '/debugger/details'
sc-status:
- 200
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7813 | Auth Bypass | pgAdmin 4 server mode: Access to user-owned objects (Server Groups, Servers, Shared Servers, Background Processes, Debugger modules) without identity filtering by guessing object IDs. |
| CVE-2026-7813 | Information Disclosure | pgAdmin 4 Shared Servers feature: Credential leakage (passexec_cmd, passfile, SSL keys). |
| CVE-2026-7813 | Privilege Escalation | pgAdmin 4 Shared Servers feature: Writable passexec_cmd allowing arbitrary command execution in owner's process context. |
| CVE-2026-7813 | Information Disclosure | pgAdmin 4 Shared Servers feature: Non-owners can read owner-only fields (passexec_cmd, passexec_expiration, db_res, db_res_type) via API. |
| CVE-2026-7813 | Misconfiguration | pgAdmin 4 Shared Servers feature: Non-owner edits to kerberos_conn, tags, post_connection_sql mutate owner's record due to lack of per-user persistence. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 19:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable
CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...
OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs
CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...
OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver
CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...