CVE-2026-7819: pgAdmin 4 Path Traversal Vulnerability

CVE-2026-7819 Overview

CVE-2026-7819 is a symbolic-link path traversal vulnerability [CWE-61, CWE-22] in the pgAdmin 4 File Manager. The flaw exists in the check_access_permission function, which uses os.path.abspath to validate file paths. This function resolves .. sequences but does not follow symbolic links, while the subsequent kernel write operation does follow them. An authenticated attacker can plant a symbolic link inside their own storage directory pointing outside of it, then induce pgAdmin to write to any path reachable by the pgAdmin process. The issue affects pgAdmin 4 versions before 9.15.

Critical Impact

Authenticated users can write files to arbitrary locations accessible by the pgAdmin process, enabling integrity and availability compromise of the host system.

Affected Products

• pgAdmin 4 versions prior to 9.15

Discovery Timeline

• 2026-05-11 - CVE-2026-7819 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-7819

Vulnerability Analysis

The vulnerability resides in the pgAdmin 4 File Manager component responsible for validating user-supplied file paths during upload operations. The check_access_permission routine calls os.path.abspath to canonicalize the requested path. While os.path.abspath collapses .. traversal sequences, it does not resolve symbolic links along the path. The kernel-level write that follows the check transparently follows any symlinks it encounters. This mismatch between the path used for authorization and the path used for the actual write produces an exploitable traversal primitive.

The flaw also exhibits a Time-of-Check to Time-of-Use (TOCTOU) condition. Between the access check and the open call, an attacker can swap the leaf component of the target path, redirecting the write after authorization has been granted.

Root Cause

The root cause is the use of os.path.abspath instead of os.path.realpath for security-relevant path validation. abspath performs lexical normalization only and does not consult the filesystem to resolve symlinks. Validation therefore evaluates a logical path while the write targets the physical path the kernel resolves.

Attack Vector

An authenticated user with access to their own pgAdmin storage directory creates a symbolic link inside that directory pointing to a location outside it. The user then issues a file operation through the File Manager that targets the symlink. check_access_permission confirms the apparent path lies within the user's storage, but the subsequent write follows the symlink to the attacker-chosen destination. Any file path reachable by the pgAdmin process identity becomes a valid write target, including configuration files, web application content, or scheduled task definitions.

Detection Methods for CVE-2026-7819

Indicators of Compromise

• Presence of symbolic links inside per-user pgAdmin storage directories that resolve to paths outside the user's storage root.
• File Manager upload or rename requests where the resolved real path differs from the requested absolute path.
• Unexpected file writes by the pgAdmin process identity to paths outside the configured storage directory.
• New or modified files in system, web, or application directories whose owner matches the pgAdmin service account.

Detection Strategies

• Audit pgAdmin storage directories for symbolic links using find <storage_dir> -type l and verify each target resolves within the intended boundary.
• Enable filesystem auditing (auditd, Sysmon FileCreate) on the pgAdmin process to capture write operations outside the storage root.
• Review pgAdmin application logs for File Manager activity correlated with anomalous write destinations on the host.

Monitoring Recommendations

• Alert on creation of symlinks within authenticated user storage directories on pgAdmin servers.
• Monitor pgAdmin process file writes for paths matching sensitive locations such as ~/.ssh/, web roots, cron directories, and pgAdmin configuration files.
• Correlate authenticated File Manager API calls with subsequent filesystem changes outside expected upload paths.

How to Mitigate CVE-2026-7819

Immediate Actions Required

• Upgrade pgAdmin 4 to version 9.15 or later on all affected deployments.
• Restrict network access to pgAdmin to trusted administrators only, since exploitation requires authentication.
• Audit existing storage directories for pre-planted symbolic links and remove any that point outside the storage root.
• Run the pgAdmin process under a least-privileged service account that cannot write to sensitive system paths.

Patch Information

The fix in pgAdmin 4 version 9.15 replaces os.path.abspath with os.path.realpath for both source and destination path checks, ensuring symbolic links are resolved before authorization. A new _open_upload_target helper opens the target with the O_NOFOLLOW flag and mode 0o600, closing the leaf-component TOCTOU window between the access check and the file open. File creation mode is hardened from 0o644 to 0o600. See the pgAdmin GitHub Issue 9902 for additional technical detail.

Workarounds

• If immediate patching is not possible, disable or restrict the File Manager feature for non-administrative users.
• Mount per-user pgAdmin storage directories with the nosymfollow option where supported to block symlink traversal at the kernel level.
• Apply mandatory access controls (SELinux, AppArmor) confining the pgAdmin process to its intended storage directories.

# Identify symbolic links inside pgAdmin storage that escape the storage root
find /var/lib/pgadmin/storage -type l -exec sh -c '
  for link; do
    target=$(readlink -f "$link")
    case "$target" in
      /var/lib/pgadmin/storage/*) ;;
      *) echo "OUT-OF-BOUNDS: $link -> $target" ;;
    esac
  done
' sh {} +