CRITICAL🇵🇱 Wersja polska

CVE-2024-9014

CVSS 9.9v3.1pub. 2024-09-23upd. 2025-09-22

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-522 (Insufficiently Protected Credentials) indicates that OAuth2 authentication data — client ID and client secret — are stored or transmitted in an insufficiently protected manner. A logged-in attacker with network access can obtain this data without needing to meet additional conditions (low privilege level, no user interaction required). Obtaining the client secret allows impersonation of the application and takeover of control over the OAuth2 authorization flow.

Impact

An attacker can obtain unauthorized access to user accounts and their data, and by compromising the client secret — also impersonate the application within the OAuth2 authentication process, resulting in complete breach of confidentiality, integrity, and availability of the environment.

Mitigation & patch

pgAdmin 4 should be updated to a version higher than 8.11. Details regarding available patches can be found in the vendor's references: https://github.com/pgadmin-org/pgadmin4/issues/7945

Who is affected

pgAdmin 4 versions 8.11 and earlier using OAuth2 authentication

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Pgadmin 4

    APP
    Pgadmin
    < 8.12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-12048CRITICAL9.3ten sam produkt

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a P...

CVE-2026-12046CRITICAL9.5ten sam produkt

Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POS...

CVE-2026-12045CRITICAL9.4ten sam produkt

Read-only transaction bypass in the pgAdmin 4 AI Assistant allows an attacker who can influence database conte...

CVE-2026-7813CRITICAL9.4PL ✓ten sam produkt

pgAdmin 4: nieautoryzowany dostęp i privilege escalation w trybie serwerowym

CVE-2025-13780CRITICAL9.1PL ✓ten sam produkt

RCE w pgAdmin 4 poprzez złośliwe pliki dump w trybie serwerowym