Local File Inclusion and Server-Side Request Forgery in pgAdmin 4 by pgAdmin
CVE-2026-7817

7.1HIGH

Key Information:

Vendor: Pgadmin.org
Status: Pgadmin 4
Vendor: CVE Published:; 11 May 2026

🔔 Create Pgadmin.org Vulnerability Alert

What is CVE-2026-7817?

pgAdmin 4 suffers from local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities due to improper validation of user-supplied inputs in the LLM API configuration endpoints. Authenticated users could potentially exploit these weaknesses to access arbitrary files on the server or manipulate requests to internal services by modifying the api_key_file and api_url parameters. The fix includes restrictions on the api_key_file path, ensuring it is limited to the user's private storage or home directory, and instituting a validation process for api_url against an allow-list at all entry points. This vulnerability affects versions of pgAdmin 4 prior to 9.15.

Affected Version(s)

pgAdmin 4 9.13

References

https://github.com/pgadmin-org/pgadmin4/issues/9900

issue-tracking

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

j3seer

CVE-2026-7817 Data

JSON