216.73.217.50

CVE-2026-7817

· Published 11/05/2026 16:17 · Modified 11/05/2026 17:16

Labels: CVE-2026-7817 2026-05-11CVE-2026-7817CWE-552f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Essential information

Published
11/05/2026 16:17
Modified
11/05/2026 17:16
Author
Creator
CVSS
7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints. Fix restricts api_key_file to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point. This issue affects pgAdmin 4: before 9.15.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
NVD
View on NVD

Affected products (CPE)

ProductCPE
pgadmin / pgadmin 4 cpe:2.3:a:pgadmin:pgadmin_4:<9.15:*:*:*:*:*:*:*

References