CVE-2026-7817 Overview
CVE-2026-7817 is a combined Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerability affecting pgAdmin 4 versions before 9.15. The flaw resides in the LLM API configuration endpoints, where user-supplied api_key_file and api_url preferences were passed directly to LLM provider clients without validation. An authenticated attacker can read arbitrary files readable by the pgAdmin process or coerce the server into issuing requests to internal targets such as cloud metadata services. The issue is tracked under [CWE-552: Files or Directories Accessible to External Parties].
Critical Impact
Authenticated users can exfiltrate arbitrary server-side files and pivot to internal network services, including cloud metadata endpoints at 169.254.169.254.
Affected Products
- pgAdmin 4 versions prior to 9.15
- Server mode deployments exposing LLM configuration preferences
- Desktop mode deployments where the pgAdmin process has access to sensitive local files
Discovery Timeline
- 2026-05-11 - CVE-2026-7817 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7817
Vulnerability Analysis
The vulnerability stems from unvalidated user input reaching downstream LLM provider client libraries inside pgAdmin 4. Two preference fields control LLM integration behavior: api_key_file and api_url. Neither value was sanitized or constrained before being consumed by the chat path and the model-list endpoints.
For the LFI vector, api_key_file accepted any filesystem path. The pgAdmin process opened and read whichever file was specified, returning content through the LLM key-loading routine. This allowed an authenticated user to read files such as configuration files, credentials, and private keys that the pgAdmin service account could access.
For the SSRF vector, api_url accepted arbitrary URLs and forwarded outbound HTTP requests through the LLM client. Attackers could redirect requests to internal-only services or cloud instance metadata endpoints to harvest temporary credentials.
Root Cause
The root cause is missing input validation on two preference fields that flow into privileged file and network operations. The application trusted authenticated user input to point at arbitrary filesystem paths and network destinations without any allow-list, scheme filter, or path containment check.
Attack Vector
Exploitation requires an authenticated pgAdmin session. The attacker updates the LLM preferences to point api_key_file at a sensitive file such as /etc/passwd, application config files, or SSH keys, then triggers the chat or model-list endpoint to force a read. For SSRF, the attacker sets api_url to an internal IP or cloud metadata URL and invokes the same endpoints to coerce pgAdmin into issuing the outbound request. See the pgAdmin GitHub Issue Report for additional technical context.
Detection Methods for CVE-2026-7817
Indicators of Compromise
- pgAdmin preference updates setting api_key_file to paths outside the user's private storage or home directory
- Outbound HTTP requests from pgAdmin to 169.254.169.254, 127.0.0.1, or RFC1918 addresses not previously associated with LLM traffic
- Anomalous reads of /etc/passwd, ~/.ssh/, or pgAdmin configuration files by the pgAdmin service account
- Repeated invocations of the chat path or model-list endpoints following preference modifications
Detection Strategies
- Audit pgAdmin application logs for changes to api_key_file and api_url preference values
- Inspect process-level file access telemetry for the pgAdmin user reading files outside expected directories
- Correlate preference modification events with subsequent calls to LLM-related endpoints within short time windows
- Monitor egress traffic from pgAdmin hosts for connections to cloud metadata IPs and internal management interfaces
Monitoring Recommendations
- Enable verbose logging on pgAdmin LLM endpoints to capture full request and preference state
- Forward pgAdmin host telemetry, including file access and network connection events, to a central SIEM or data lake
- Establish a baseline of expected outbound destinations from pgAdmin and alert on deviations
- Track authenticated session activity for users who modify LLM configuration without prior history
How to Mitigate CVE-2026-7817
Immediate Actions Required
- Upgrade pgAdmin 4 to version 9.15 or later, which restricts api_key_file paths and enforces an allow-list for api_url
- Review existing user preferences for unexpected api_key_file or api_url values and reset them
- Restrict pgAdmin process privileges so it cannot read sensitive system files or reach cloud metadata services
- Audit authentication logs for unauthorized account creation or password resets preceding the disclosure window
Patch Information
The fix in pgAdmin 4 version 9.15 restricts api_key_file to the user's private storage in server mode or the home directory in desktop mode. It enforces a printable-ASCII shape on the key and applies a 1024-byte read cap. The patch also gates api_url against the configurable allow-list config.ALLOWED_LLM_API_URLS at every entry point. Refer to the pgAdmin GitHub Issue Report for fix details.
Workarounds
- Disable LLM integration features in pgAdmin until the upgrade is applied
- Apply egress firewall rules blocking pgAdmin hosts from reaching 169.254.169.254 and other internal-only networks
- Run pgAdmin under a dedicated low-privilege account with minimal filesystem read access
- Restrict pgAdmin access to trusted users only and enforce multi-factor authentication on accounts
# Configuration example: define an allow-list for LLM API URLs in config_local.py
ALLOWED_LLM_API_URLS = [
"https://api.openai.com",
"https://api.anthropic.com"
]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
