External risk intelligence

pgAdmin 4 SQL Editor Authentication Bypass Leading to Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-12046

pgAdmin 4 is a widely used web-based database management interface designed for server-mode deployment, which often involves hosting the application to be accessible over a network. While the specific exploit requires additional preconditions, the application endpoints themselves are part of an internet-facing web service, making this a common deployment pattern for remote administration tools.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in pgAdmin 4, specifically in its SQL Editor functionality when running in server mode. This issue could potentially allow an unauthenticated attacker to execute arbitrary code on the server hosting pgAdmin 4, provided certain preconditions are met. The vulnerability stems from missing authentication checks on critical functions that handle sensitive data deserialization.

Unauthenticated access to critical functions.
Enables remote code execution if other conditions met.
Verify pgAdmin 4 server mode relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could target the pgAdmin 4 SQL Editor if it's running in server mode and they already possess the Flask SECRET_KEY and write access to the sessions directory. By sending specially crafted requests to two unauthenticated endpoints, an attacker could trigger a deserialization vulnerability. If the necessary preconditions are met, this could allow for unauthenticated remote code execution within the pgAdmin process.

Attackers need prior access.
Unauthenticated endpoints trigger deserialization.
Risk of remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When deployed in server mode, this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the host running pgAdmin, provided they have already obtained write access to pgAdmin's session directory and knowledge of the Flask SECRET_KEY.

pgAdmin process on the host.
Unauthenticated network requests bypass authorization.
Unauthenticated code execution on the host.

Operational Fix

Recommended remediation, mitigation, and detection steps

System owners and infrastructure teams are primarily responsible for addressing this critical vulnerability in pgAdmin 4's server mode. The first practical step involves identifying all instances of pgAdmin 4 in server mode, confirming their network accessibility and business criticality, and then locating the accountable owner for each instance to plan remediation.

Identify pgAdmin 4 server instances and ownership.
Verify network exposure and business criticality.
Plan remediation based on risk and impact.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is pgAdmin 4?

pgAdmin 4 is a popular web-based interface used for managing and administering PostgreSQL databases. It is frequently deployed in server mode, allowing administrators to access and control their databases through a web browser across a network.

What does CVE-2026-12046 mean for security?

This CVE describes a flaw where two specific SQL Editor endpoints lack required authentication checks, known as Missing Authentication for Critical Function (CWE-306). Because these endpoints also process data in an unsafe way (Deserialization of Untrusted Data, CWE-502), the missing check allows an attacker to interact with the vulnerable deserialization process without logging in first.

Does this flaw trigger just by sending a request?

No. While the missing authentication makes the endpoints reachable without login, the deserialization bug is not triggered by a standard request alone. An attacker must first possess the application's Flask SECRET_KEY and have write access to the host's session directory to provide the malicious data needed to execute code. If these specific preconditions are not met, the flaw cannot be exploited.

Who is at risk from CVE-2026-12046?

Users running pgAdmin 4 in server mode should care, especially if the interface is accessible over a network. According to Halo Surface Signal, because pgAdmin 4 is a remote administration tool, it is often configured as an internet-facing service, which may increase the likelihood that an attacker could reach these endpoints if other security layers fail.

How do I secure my pgAdmin 4 installation?

First, confirm if your pgAdmin 4 instances are running in server mode, as desktop mode is not affected by this specific issue. Next, identify the systems and verify their network accessibility. Plan for an update to a patched version that includes the necessary authentication decorators, ensuring that all access to the SQL Editor endpoints is properly gated by login requirements.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.