Primary

Context

pgAdmin 4 Account Lockout Bypass Vulnerability in Flask-Security Login View

Vulnerability

Patched

A vulnerability in pgAdmin 4 prior to version 9.15 allows for an account lockout bypass through improper handling of authentication attempts. The application enforces a maximum login attempt policy only in its custom login view, while the default Flask-Security login view, accessible on all servers, fails to consider the locked status of user accounts. This oversight enables an attacker to exploit the authentication process by bypassing brute-force protections, particularly for accounts using the INTERNAL authentication source.

Impact

Exploitation of this vulnerability allows for an unbounded online password-guessing attack against INTERNAL accounts, bypassing the application's login attempt rate limits and MAX_LOGIN_ATTEMPTS policy.

Remediation

This vulnerability has been fixed in pgAdmin 4 version 9.15. Users should upgrade to this version to address the issue.

Added: May 11, 2026, 4:22 PM

Updated: May 11, 2026, 4:22 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

1.3

exploitability

6.6

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

1.3

exploitability

6.6

remediation

7.7

relevance

8.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

pgAdmin 4 Account Lockout Bypass Vulnerability in Flask-Security Login View

Vulnerability

Impact

Remediation

Affected Products

pgAdmin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating