CVE-2026-7818: pgAdmin 4 Deserialization Flaw Allows RCE

/HIGH /CVSS 7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-execution
CVE-2026-7818: pgAdmin 4 Deserialization Flaw Allows RCE

The National Vulnerability Database has detailed CVE-2026-7818, a high-severity deserialization vulnerability (CWE-502) in pgAdmin 4’s FileBackedSessionManager. This flaw allowed unsafe deserialization of session file contents, leveraging Python’s standard object-serialization module, before any HMAC integrity check. Essentially, any file dropped into the sessions directory was unconditionally deserialized.

An authenticated user with write access to the sessions directory—either through misconfiguration or in conjunction with another path traversal vulnerability—could plant a specially crafted serialized payload. This would lead to operating-system level remote code execution under the pgAdmin process identity. The National Vulnerability Database states this issue affects pgAdmin 4 versions prior to 9.15.

The fix involves prepending a 64-byte hex SHA-256 HMAC over the session body, computed with SECRET_KEY, and verifying it via hmac.compare_digest before any deserialization. This critical integrity check is now enforced, even raising an error if SECRET_KEY is empty, preventing attackers from bypassing it. This is a classic example of what happens when integrity checks come too late in the processing chain.

What This Means For You

  • If your organization uses pgAdmin 4, you need to check your version immediately. This isn't theoretical: an authenticated attacker with a foothold can elevate privileges to RCE. Patch pgAdmin 4 to version 9.15 or later RIGHT NOW to remediate CVE-2026-7818. Also, audit your session directory permissions for any excessive write access.

Indicators of Compromise

IDTypeIndicator
CVE-2026-7818 RCE pgAdmin 4: before 9.15
CVE-2026-7818 Deserialization CWE-502
CVE-2026-7818 Deserialization pgAdmin 4 FileBackedSessionManager
CVE-2026-7818 RCE Unsafe deserialization of session-file contents in sessions directory

Written by SCW Vulnerability Desk

🔎
Track critical vulnerabilities Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 19:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable

CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 2 Sigma

OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs

CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...

vulnerabilityCVEhigh-severityimproper-access-controlcwe-184
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver

CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...

vulnerabilityCVEhigh-severitycode-executioncwe-427
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 5 IOCs /⚙ 3 Sigma