PYSEC-2026-2871

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pgadmin4/PYSEC-2026-2871.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2871
Aliases
Published
2026-07-13T15:15:44.937259Z
Modified
2026-07-13T16:32:56.751622988Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities
Details

Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.

User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing apikeyfile at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting apiurl, exploiting the chat path and model-list endpoints.

Fix restricts apikeyfile to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates apiurl against a configurable allow-list (config.ALLOWEDLLMAPIURLS) at every entry point.

This issue affects pgAdmin 4: before 9.15.

References

Affected packages

PyPI / pgadmin4

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.15

Affected versions

4.*
4.20
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.30
5.*
5.0
5.1
5.2
5.3
5.4
5.5
5.6
5.7
6.*
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
6.15
6.16
6.17
6.18
6.19
6.20
6.21
7.*
7.0
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
8.*
8.0
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
8.13
8.14
9.*
9.0
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.8
9.9
9.10
9.11
9.12
9.13
9.14

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pgadmin4/PYSEC-2026-2871.yaml"