Authentication Bypass in pgAdmin 4 by pgAdmin Development Team
CVE-2026-7820

6.9MEDIUM

Key Information:

Vendor: Pgadmin.org
Status: Pgadmin 4
Vendor: CVE Published:; 11 May 2026

🔔 Create Pgadmin.org Vulnerability Alert

What is CVE-2026-7820?

An authentication bypass vulnerability exists in pgAdmin 4 due to improper rate limiting on login attempts. The MAX_LOGIN_ATTEMPTS control is enforced only on the custom login view, leaving the default Flask-Security login view exposed to brute force attacks. An attacker could bypass account lockouts by exploiting the /login endpoint, which doesn't check the user's lock status properly. This oversight allows unbounded online password-guessing attempts against accounts using the INTERNAL authentication source, potentially compromising user security. The fix ensures all authentication paths enforce user account status correctly.

Affected Version(s)

pgAdmin 4 0

References

https://github.com/pgadmin-org/pgadmin4/issues/9904

issue-tracking

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

Credit

Fernando Bortotti

CVE-2026-7820 Data

JSON