SCA: security update for pgadmin4 (GHSA-hv9p-2pqf-r5w3)

medium Tenable Self-Hosted Container Security Plugin ID 442101

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces
MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view,
which is registered automatically by security.init_app() and is reachable on every server, never consulted
the User.locked field: pgAdmin's User model relied on Flask-Security's UserMixin.is_locked() (which always
returns 'not locked') and Flask-Login's is_active (which only checks the active column, not locked). An
attacker who triggered an account lockout via /authenticate/login could therefore obtain a session by re-
submitting valid credentials directly to /login, defeating the brute-force-protection control for accounts
using the INTERNAL authentication source. The same bypass also means that login attempts via /login are
never rate-limited, so an attacker can perform an unbounded online password-guessing attack against
INTERNAL accounts regardless of MAX_LOGIN_ATTEMPTS. Fix overrides User.is_active and User.is_locked() so
the locked column is enforced on every authentication path. LDAP, OAuth2, Kerberos, and Webserver users
are not reachable by this bypass because they have no local password and are rejected by Flask-Security's
LoginForm.validate before the locked check; the lockout itself is also internal-only (the
/authenticate/login view filters by auth_source=INTERNAL). This issue affects pgAdmin 4: before 9.15.
(CVE-2026-7820)

Solution

Update the pgadmin4 library and its related packages to version 9.15 or later.

See Also

https://github.com/advisories/GHSA-hv9p-2pqf-r5w3

Plugin Details

Severity: Medium

ID: 442101

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 5/18/2026

Updated: 6/10/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.69

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-7820

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/11/2026

Vulnerability Publication Date: 5/11/2026

Reference Information

CVE: CVE-2026-7820

cwe: CWE-307