Home

Description

Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4. pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, never consulted the User.locked field: pgAdmin's User model relied on Flask-Security's UserMixin.is_locked() (which always returns 'not locked') and Flask-Login's is_active (which only checks the active column, not locked). An attacker who triggered an account lockout via /authenticate/login could therefore obtain a session by re-submitting valid credentials directly to /login, defeating the brute-force-protection control for accounts using the INTERNAL authentication source. The same bypass also means that login attempts via /login are never rate-limited, so an attacker can perform an unbounded online password-guessing attack against INTERNAL accounts regardless of MAX_LOGIN_ATTEMPTS. Fix overrides User.is_active and User.is_locked() so the locked column is enforced on every authentication path. LDAP, OAuth2, Kerberos, and Webserver users are not reachable by this bypass because they have no local password and are rejected by Flask-Security's LoginForm.validate before the locked check; the lockout itself is also internal-only (the /authenticate/login view filters by auth_source=INTERNAL). This issue affects pgAdmin 4: before 9.15.

PUBLISHED Reserved 2026-05-04 | Published 2026-05-11 | Updated 2026-05-11 | Assigner PostgreSQL




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Unauthenticated network attacker. The vulnerability removes pgAdmin's brute-force-protection control for INTERNAL-auth accounts; successful authentication still requires correct credentials, so any compromise is bounded by the strength of the targeted password and the attacker's ability to guess it. C:L/I:L reflects that successful exploitation requires also winning a credential-guessing attack that the bypass enables; S:U reflects that the impact remains within the user's existing pgAdmin authority once they do log in.

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Unauthenticated network attacker. The vulnerability removes pgAdmin's brute-force-protection control for INTERNAL-auth accounts; successful authentication still requires correct credentials, so any compromise is bounded by the strength of the targeted password and the attacker's ability to guess it. C:L/I:L reflects that successful exploitation requires also winning a credential-guessing attack that the bypass enables; S:U reflects that the impact remains within the user's existing pgAdmin authority once they do log in.

Product status

Default status
affected

Any version before 9.15
affected

Credits

Fernando Bortotti finder

References

github.com/pgadmin-org/pgadmin4/issues/9904 issue-tracking

cve.org (CVE-2026-7820)

nvd.nist.gov (CVE-2026-7820)

Download JSON