{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12049", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2026-06-11T20:40:09.111Z", "datePublished": "2026-06-18T23:37:43.328Z", "dateUpdated": "2026-06-18T23:37:43.328Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-06-18T23:37:43.328Z"}, "title": "pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter", "affected": [{"vendor": "pgadmin.org", "product": "pgAdmin 4", "repo": "https://github.com/pgadmin-org/pgadmin4", "modules": ["Authentication", "Multi-Factor Authentication"], "programFiles": ["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/authenticate/mfa/views.py"], "versions": [{"status": "affected", "version": "6.0", "lessThan": "9.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.\n\nThe defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.\n\nFix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.\n\nThis issue affects pgAdmin 4: from 6.0 before 9.16."}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/10028", "tags": ["issue-tracking"]}, {"url": "https://github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a9076d204cd", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "Attacker delivers a crafted /mfa/validate?next=<external> URL to a logged-in pgAdmin user (typically via phishing). The endpoint requires login_required so the victim must already be authenticated to pgAdmin -- but the *attacker* needs no pgAdmin privileges at all to construct and deliver the link (PR:N). UI:R captures the click. Scope is unchanged: the defect does not grant the attacker access to pgAdmin's authority or the victim's database session; it only launders the attacker's destination through pgAdmin's URL, which raises credential-phishing success rates. C:N and A:N follow from the same reasoning; I:L acknowledges the integrity impact of an authenticated-flow redirect that lends pgAdmin's trust to an attacker domain.\n\nReviewer note (Dave Page, 2026-06-11): defensible at 4.3 for a token-free open redirect. Heads-up that NVD house style for open redirects often lands at S:C/C:L/I:L -> 6.1, so expect a possible upward rescore by the NVD analyst."}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "Same reasoning as the CVSS 3.1 entry: the attacker needs no pgAdmin privileges to craft the link, the victim must click it (UI:P), and the defect grants no new vulnerable-system or subsequent-system capability beyond a trusted-domain redirect that aids downstream phishing (VI:L only)."}], "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "cweId": "CWE-601", "type": "CWE"}]}], "credits": [{"lang": "en", "value": "Mai Ph\u1ea1m Hi\u1ec1n <mai.phamhien171@gmail.com>", "type": "finder"}, {"lang": "en", "value": "Dave Page <page@pgadmin.org>", "type": "remediation developer"}, {"lang": "en", "value": "Kundan Sable <kundan.sable@enterprisedb.com>", "type": "remediation reviewer"}], "source": {"discovery": "EXTERNAL"}}}}

{}

{}

{}

{"created": "2026-06-19T01:30:16.171846+00:00", "updated": "2026-06-19T01:30:16.171852+00:00", "vendors": []}