SCA: security update for pgadmin4 (GHSA-h2x2-q2mc-24gw)

critical Tenable Cloud Security Plugin ID 442093

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers,
Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without
filtering by the requesting user's identity. An authenticated user could access another user's private
servers, server groups, background processes, and debugger function arguments by guessing object IDs.
Additionally, the Shared Servers feature contained multiple issues including credential leakage
(passexec_cmd, passfile, SSL keys), privilege escalation via writable passexec_cmd (a shell command
executed when establishing the connection) allowing arbitrary command execution in the owner's process
context, and owner-data corruption via SQLAlchemy session mutations. Several owner-only fields
(passexec_cmd, passexec_expiration, db_res, db_res_type) were writable by non-owners through the API, and
additional fields (kerberos_conn, tags, post_connection_sql) lacked per-user persistence so non-owner
edits mutated the owner's record. Fix centralises access control via a new server_access module, scopes
all user-owned models with a UserScopedMixin, returns HTTP 410 from connection_manager when access is
denied in server mode, suppresses owner-only fields for non-owners across the merge / API response /
ServerManager paths, and adds an explicit owner-only write guard. The remediation landed in two pull
requests; both are referenced. This issue affects pgAdmin 4: before 9.15. (CVE-2026-7813)

Solution

Update the pgadmin4 library and its related packages to version 9.15 or later.

See Also

https://github.com/advisories/GHSA-h2x2-q2mc-24gw

Plugin Details

Severity: Critical

ID: 442093

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 5/18/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.41

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-7813

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/11/2026

Vulnerability Publication Date: 5/11/2026

Reference Information

CVE: CVE-2026-7813

cwe: CWE-284