{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12049", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2026-06-11T20:40:09.111Z", "datePublished": "2026-06-18T23:37:43.328Z", "dateUpdated": "2026-06-22T14:39:56.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-06-18T23:37:43.328Z"}, "title": "pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter", "affected": [{"vendor": "pgadmin.org", "product": "pgAdmin 4", "repo": "https://github.com/pgadmin-org/pgadmin4", "modules": ["Authentication", "Multi-Factor Authentication"], "programFiles": ["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/authenticate/mfa/views.py"], "versions": [{"status": "affected", "version": "6.0", "lessThan": "9.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.\n\nThe defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.\n\nFix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.\n\nThis issue affects pgAdmin 4: from 6.0 before 9.16."}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/10028", "tags": ["issue-tracking"]}, {"url": "https://github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a9076d204cd", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "Attacker delivers a crafted /mfa/validate?next=<external> URL to a logged-in pgAdmin user (typically via phishing). The endpoint requires login_required so the victim must already be authenticated to pgAdmin -- but the *attacker* needs no pgAdmin privileges at all to construct and deliver the link (PR:N). UI:R captures the click. Scope is unchanged: the defect does not grant the attacker access to pgAdmin's authority or the victim's database session; it only launders the attacker's destination through pgAdmin's URL, which raises credential-phishing success rates. C:N and A:N follow from the same reasoning; I:L acknowledges the integrity impact of an authenticated-flow redirect that lends pgAdmin's trust to an attacker domain.\n\nReviewer note (Dave Page, 2026-06-11): defensible at 4.3 for a token-free open redirect. Heads-up that NVD house style for open redirects often lands at S:C/C:L/I:L -> 6.1, so expect a possible upward rescore by the NVD analyst."}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "Same reasoning as the CVSS 3.1 entry: the attacker needs no pgAdmin privileges to craft the link, the victim must click it (UI:P), and the defect grants no new vulnerable-system or subsequent-system capability beyond a trusted-domain redirect that aids downstream phishing (VI:L only)."}], "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "cweId": "CWE-601", "type": "CWE"}]}], "credits": [{"lang": "en", "value": "Mai Ph\u1ea1m Hi\u1ec1n <mai.phamhien171@gmail.com>", "type": "finder"}, {"lang": "en", "value": "Dave Page <page@pgadmin.org>", "type": "remediation developer"}, {"lang": "en", "value": "Kundan Sable <kundan.sable@enterprisedb.com>", "type": "remediation reviewer"}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T14:39:40.324350Z", "id": "CVE-2026-12049", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T14:39:56.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12049", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-22T14:39:40.324350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T14:39:50.698Z"}}], "cna": {"title": "pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Mai Ph\u1ea1m Hi\u1ec1n <mai.phamhien171@gmail.com>"}, {"lang": "en", "type": "remediation developer", "value": "Dave Page <page@pgadmin.org>"}, {"lang": "en", "type": "remediation reviewer", "value": "Kundan Sable <kundan.sable@enterprisedb.com>"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "Attacker delivers a crafted /mfa/validate?next=<external> URL to a logged-in pgAdmin user (typically via phishing). The endpoint requires login_required so the victim must already be authenticated to pgAdmin -- but the *attacker* needs no pgAdmin privileges at all to construct and deliver the link (PR:N). UI:R captures the click. Scope is unchanged: the defect does not grant the attacker access to pgAdmin's authority or the victim's database session; it only launders the attacker's destination through pgAdmin's URL, which raises credential-phishing success rates. C:N and A:N follow from the same reasoning; I:L acknowledges the integrity impact of an authenticated-flow redirect that lends pgAdmin's trust to an attacker domain.\n\nReviewer note (Dave Page, 2026-06-11): defensible at 4.3 for a token-free open redirect. Heads-up that NVD house style for open redirects often lands at S:C/C:L/I:L -> 6.1, so expect a possible upward rescore by the NVD analyst."}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en", "value": "Same reasoning as the CVSS 3.1 entry: the attacker needs no pgAdmin privileges to craft the link, the victim must click it (UI:P), and the defect grants no new vulnerable-system or subsequent-system capability beyond a trusted-domain redirect that aids downstream phishing (VI:L only)."}]}], "affected": [{"repo": "https://github.com/pgadmin-org/pgadmin4", "vendor": "pgadmin.org", "modules": ["Authentication", "Multi-Factor Authentication"], "product": "pgAdmin 4", "versions": [{"status": "affected", "version": "6.0", "lessThan": "9.16", "versionType": "custom"}], "programFiles": ["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/authenticate/mfa/views.py"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/pgadmin-org/pgadmin4/issues/10028", "tags": ["issue-tracking"]}, {"url": "https://github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a9076d204cd", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.\n\nThe defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.\n\nFix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.\n\nThis issue affects pgAdmin 4: from 6.0 before 9.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2026-06-18T23:37:43.328Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12049", "state": "PUBLISHED", "dateUpdated": "2026-06-22T14:39:56.925Z", "dateReserved": "2026-06-11T20:40:09.111Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2026-06-18T23:37:43.328Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "pgAdmin 4: pgAdmin 4: Open redirect vulnerability in multi-factor authentication can lead to phishing", "id": "2490620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490620"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-601", "details": ["A flaw was found in pgAdmin 4. This open redirect vulnerability exists in the multi-factor authentication (MFA) flow. An authenticated user could be tricked into clicking a specially crafted link, which would redirect them to an attacker-controlled website. This could increase the success rate of phishing attacks, potentially leading to information disclosure or credential compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-12049", "public_date": "2026-06-18T23:37:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-12049\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-12049\nhttps://github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a9076d204cd\nhttps://github.com/pgadmin-org/pgadmin4/issues/10028"], "statement": "This Low impact vulnerability in pgAdmin 4's multi-factor authentication flow allows an authenticated user to be redirected to an arbitrary external website. Exploitation requires user interaction, specifically clicking a specially crafted link, and primarily facilitates phishing attacks rather than direct system compromise.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,9.16)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "pgAdmin 4", "source": "cna", "vendor": "pgadmin.org"}, "product": "pgadmin_4", "vendor": "pgadmin"}], "created": "2026-06-19T01:30:16.171846+00:00", "updated": "2026-06-24T20:30:04.381724+00:00", "vendors": ["pgadmin", "pgadmin$PRODUCT$pgadmin_4"]}