Detections
Analytics
pgAdmin < 9.16 Missing Authentication (CVE-2026-12046)
critical Nessus Plugin ID 322417
Language:
Synopsis
The pgAdmin instance installed on the remote host is affected by a missing authentication vulnerability.Description
The version of pgAdmin installed on the remote host is prior to 9.16. It is, therefore, affected by a missing authentication vulnerability:- Two state-mutating SQL Editor endpoints are missing the pga_login_required decorator and are reachable without authentication in server mode. Both endpoints reach pickle.loads on a session-stored command object. Chained with a separately-obtained SECRET_KEY leak and write access to the sessions directory, this exposes an unauthenticated remote code execution path.
(CVE-2026-12046)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade pgAdmin to version 9.16 or later.See Also
Plugin Details
Severity: Critical
ID: 322417
File Name: pgadmin_CVE-2026-12046.nasl
Version: 1.2
Type: Local
Agent: windows, macosx, unix
Family: Databases
Published: 6/24/2026
Updated: 6/25/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.6
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-12046
CVSS v3
Risk Factor: Critical
Base Score: 9
Temporal Score: 7.8
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS v4
Risk Factor: Critical
Base Score: 9.5
Threat Score: 8.4
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Vulnerability Information
CPE: cpe:/a:postgresql:pgadmin_4
Required KB Items: installed_sw/PostgreSQL pgAdmin4
Exploit Ease: No known exploits are available
Patch Publication Date: 6/18/2026
Vulnerability Publication Date: 6/18/2026
Reference Information
CVE: CVE-2026-12046