Critical Authorization Bypass in pgAdmin 4 Exposes Data Across Server Groups and Shared Servers

A critical authorization vulnerability, tracked as CVE-2026-7813, has been identified in pgAdmin 4 server mode with a CVSS score of 9.9. The flaw allows unauthorized access to user-owned objects across multiple modules, including Server Groups, Servers, Shared Servers, Background Processes, and the Debugger. Security researchers at PatchStack flagged the issue after discovering that multiple endpoints fail to properly filter requests based on the requesting user's identity, creating a significant access control failure.

The vulnerability stems from insufficient validation of user permissions when fetching objects. In affected deployments, an authenticated user could potentially retrieve, modify, or interact with resources owned by other users or groups without proper authorization checks. This type of flaw is particularly dangerous in shared hosting environments or organizational setups where multiple teams use the same pgAdmin instance to manage PostgreSQL databases.

pgAdmin 4 is a widely deployed open-source administration and development platform for PostgreSQL, used by developers, database administrators, and organizations worldwide. The severity rating of 9.9 places this vulnerability near the top of the CVSS scale, warranting immediate attention. Security advisories recommend applying patches as soon as they become available through official pgAdmin release channels. Users operating pgAdmin 4 in server mode are urged to monitor the project's security advisories and verify their current installations against known affected versions.