Primary

Context

pgAdmin 4 Symbolic-Link Path Traversal Vulnerability Allowing Arbitrary File Write

Vulnerability

Patched

A symbolic-link path traversal vulnerability has been identified in pgAdmin 4 File Manager versions prior to 9.15. The issue arises because the `check_access_permission` function uses `os.path.abspath`, which resolves directory traversal sequences but fails to resolve symbolic links. Consequently, an authenticated user could create a symbolic link in their storage directory that points outside of it, leading pgAdmin to write to any path accessible by the pgAdmin process.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any location reachable by the pgAdmin process, potentially leading to unauthorized data modification or overwriting critical files.

Remediation

This vulnerability has been fixed in pgAdmin 4 version 9.15. Users should upgrade to this version.

Added: May 11, 2026, 4:24 PM

Updated: May 11, 2026, 4:24 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.8

exploitability

4.9

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.8

exploitability

4.9

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

pgAdmin 4 Symbolic-Link Path Traversal Vulnerability Allowing Arbitrary File Write

Vulnerability

Impact

Remediation

Affected Products

pgAdmin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating