Skip to main content
CVE Vulnerability Database

CVE-2025-9636: pgAdmin 4 Auth Bypass Vulnerability

CVE-2025-9636 is an authentication bypass flaw in pgAdmin 4 caused by a Cross-Origin Opener Policy weakness that allows attackers to manipulate OAuth flows and gain unauthorized access. This article covers affected versions, impact, and mitigation strategies.

Published:

CVE-2025-9636 Overview

CVE-2025-9636 affects pgAdmin versions 9.7 and earlier through a missing Cross-Origin Opener Policy (COOP) header. The flaw allows attackers to manipulate the OAuth authentication flow used by pgAdmin to authenticate users against external identity providers. Successful exploitation can lead to unauthorized account access, account takeover, and privilege escalation against PostgreSQL administrative interfaces. The weakness is classified under [CWE-346] (Origin Validation Error) and carries a CVSS 3.1 base score of 7.9.

Critical Impact

Attackers who lure an authenticated pgAdmin user to a malicious page can hijack the OAuth window context and gain control of the victim's pgAdmin session, exposing connected PostgreSQL databases.

Affected Products

  • pgAdmin 4 versions through 9.7
  • pgAdmin deployments using OAuth-based authentication providers
  • Self-hosted and containerized pgAdmin instances exposed via web browsers

Discovery Timeline

  • 2025-09-04 - CVE-2025-9636 published to the National Vulnerability Database
  • 2025-09-11 - Last updated in NVD database

Technical Details for CVE-2025-9636

Vulnerability Analysis

pgAdmin 4 supports OAuth-based single sign-on, which opens a popup or auxiliary browser window to complete the authentication handshake with the identity provider. Without a restrictive Cross-Origin-Opener-Policy response header, the browser permits cross-origin documents to retain references to the opener window. A malicious site that initiates or interacts with the pgAdmin OAuth window can therefore read or influence its navigation state across origins.

An attacker hosting a crafted page can call window.open() against pgAdmin, observe redirects in the OAuth flow, and harvest authorization codes or session tokens returned through URL fragments. The attacker can also force navigation of the opener window to a controlled endpoint, tricking the victim into completing authentication under the attacker's account context. Exploitation requires user interaction and a degree of social engineering, which is reflected in the CVSS attack complexity rating.

Root Cause

The root cause is the absence of an enforced Cross-Origin-Opener-Policy: same-origin header on pgAdmin responses that initiate or receive OAuth callbacks. Without COOP isolation, the browsing context group is shared between pgAdmin and any window that opened it, breaking the origin boundary the OAuth specification assumes.

Attack Vector

The attack is delivered over the network and triggered when an authenticated pgAdmin user visits an attacker-controlled web page. The malicious page opens the pgAdmin OAuth flow in a popup, then leverages cross-origin window references to read OAuth response parameters or manipulate the authentication redirect. See the GitHub Issue Discussion for technical context on the reported behavior.

Detection Methods for CVE-2025-9636

Indicators of Compromise

  • Unexpected OAuth authorization requests in identity provider logs originating from pgAdmin clients shortly after users visited untrusted sites.
  • pgAdmin session logins from IP addresses or user agents that do not match the legitimate user's baseline.
  • New PostgreSQL server connections, role changes, or query activity initiated through pgAdmin outside of normal administrative windows.

Detection Strategies

  • Inspect HTTP responses from pgAdmin for the presence of Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers; missing headers indicate exposure.
  • Correlate browser referrer data and OAuth callback timing in web access logs to identify popup-driven authentication attempts from unknown origins.
  • Alert on pgAdmin audit log entries showing privilege changes, server registrations, or backup exports that occur immediately after a fresh OAuth login.

Monitoring Recommendations

  • Forward pgAdmin web server logs and PostgreSQL audit logs to a centralized analytics platform and build queries around OAuth callback URIs.
  • Monitor identity provider sign-in risk signals for impossible-travel or anonymizer-based authentications targeting pgAdmin client IDs.
  • Track configuration changes to pgAdmin config_local.py and reverse proxy rules that govern security response headers.

How to Mitigate CVE-2025-9636

Immediate Actions Required

  • Upgrade pgAdmin 4 to a version later than 9.7 once a fixed release is published by the maintainers.
  • Enforce Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-origin headers at the reverse proxy in front of pgAdmin.
  • Rotate OAuth client secrets and invalidate active pgAdmin sessions if exposure is suspected.
  • Restrict pgAdmin access to trusted networks or behind a VPN until headers are confirmed in place.

Patch Information

No vendor patch URL is listed in the NVD record at the time of publication. Track the pgAdmin GitHub issue tracker for the official remediation and updated release notes. Apply the fixed release across all pgAdmin servers, including container images and embedded deployments.

Workarounds

  • Place pgAdmin behind a reverse proxy such as nginx or Apache and inject the COOP, COEP, and Referrer-Policy: no-referrer headers for every response.
  • Disable OAuth authentication and revert to internal authentication with multi-factor enforcement until the upgrade is applied.
  • Require administrators to use a dedicated browser profile for pgAdmin to reduce the chance of cross-tab exploitation.
bash
# nginx reverse proxy hardening example
server {
    listen 443 ssl;
    server_name pgadmin.example.com;

    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Embedder-Policy "require-corp" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Frame-Options "DENY" always;

    location / {
        proxy_pass http://127.0.0.1:5050;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.