{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12046", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2026-06-11T20:40:07.093Z", "datePublished": "2026-06-18T23:37:37.430Z", "dateUpdated": "2026-06-18T23:37:37.430Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-06-18T23:37:37.430Z"}, "title": "pgAdmin 4: Unauthenticated pickle deserialization in SQL Editor close / update_connection routes enables remote code execution", "affected": [{"vendor": "pgadmin.org", "product": "pgAdmin 4", "repo": "https://github.com/pgadmin-org/pgadmin4", "modules": ["SQL Editor"], "programFiles": ["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/tools/sqleditor/__init__.py"], "versions": [{"status": "affected", "version": "6.9", "lessThan": "9.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> -- were the only routes in the module missing the @pga_login_required decorator. Both reach a pickle.loads sink on session['gridData'][<trans_id>]['command_obj']: the close endpoint via close_sqleditor_session(), and update_sqleditor_connection via check_transaction_status(). In server mode these endpoints were reachable without any authenticated pgAdmin session.\n\nThe defect is a missing-authentication-on-critical-function (CWE-306) wrapper around a deserialization-of-untrusted-data sink (CWE-502). Exploiting it for remote code execution requires the attacker to also forge a server-side session file whose gridData entry contains a malicious pickle payload, which in turn requires both (a) knowledge of pgAdmin's Flask SECRET_KEY (no chain to leak it is described here -- the attacker must already possess it) and (b) write access to pgAdmin's sessions/ directory on the host. Neither precondition is granted by this defect on its own. When those preconditions are met from another channel (misconfigured deployment, prior compromise, leaked configuration), the missing auth gate is the final hop that turns an existing partial compromise into unauthenticated code execution in the pgAdmin process -- and, by extension, on the host under whatever account runs pgAdmin.\n\nFix is a one-line @pga_login_required decorator on each of the two endpoints, matching the convention used by every other route in the module. The is_authenticated / MFA chain now runs before the trans_id is dereferenced, so an unauthenticated request is rejected before reaching the deserialization path.\n\nThe defect is server-mode only. In DESKTOP mode pgAdmin's before_request hook re-authenticates DESKTOP_USER on every request, so no endpoint can be exercised in an unauthenticated state and no auth decorator (or its absence) is meaningful. The accompanying regression test mirrors the attacker's path -- harvests an X-pgA-CSRFToken from GET /login and replays it against both endpoints -- and self-skips outside server mode for that reason; it is wired into the existing server-mode CI workflow alongside the data-isolation tests.\n\nThis issue affects pgAdmin 4: from 6.9 before 9.16."}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/10072", "tags": ["issue-tracking"]}, {"url": "https://github.com/pgadmin-org/pgadmin4/commit/f81433ae2f998f95bb17f27f53b4e99ebcc1df9c", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "The defect itself is a missing @pga_login_required decorator on two SQL Editor routes (DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/...), both reaching pickle.loads on session['gridData'][<trans_id>]['command_obj'].\n\nAC:H captures the practical preconditions: the attacker needs (a) pgAdmin's Flask SECRET_KEY and (b) write access to the sessions/ directory in order to forge a session file containing a malicious pickle payload. Neither is granted by this defect. With both in hand the attacker reaches the pickle.loads sink unauthenticated via the missing-auth endpoints. S:C captures the transition from a web endpoint to OS code execution under the pgAdmin service account.\n\nPractical note: the 'unauthenticated RCE' headline oversells the real-world risk. An attacker who already possesses the SECRET_KEY and can write to sessions/ can equally forge an *authenticated* session cookie -- the same pickle.loads sink is reachable from any logged-in user. The defect's marginal contribution is removing the login requirement on two specific routes (making the attack one step cheaper), not creating a new RCE surface. AC:H reflects that. An alternative S:U scoring (-> 8.1 HIGH) is defensible if the score should track that real-world risk profile rather than the worst credible authority crossing."}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "Same reasoning as the CVSS 3.1 entry. AT:P captures the SECRET_KEY + writable-sessions/ preconditions that are not provided by this defect alone. The pickle.loads sink yields arbitrary code execution in the pgAdmin process, treated as full Subsequent System compromise on the host."}], "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "baseScore": 9.5, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}, {"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "credits": [{"lang": "en", "value": "Fernando Bortotti <fernando.bortotti@bsd.com.br>", "type": "finder"}, {"lang": "en", "value": "Ashesh Vashi <ashesh.vashi@enterprisedb.com>", "type": "remediation developer"}], "source": {"discovery": "EXTERNAL"}}}}

{}

{}

{}

{}