pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter

Summary

CVE	CVE-2026-12049
State	PUBLISHED
Assigner	PostgreSQL
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-19 00:16:47 UTC
Updated	2026-06-22 20:23:26 UTC
Description	Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow. The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim. Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC. This issue affects pgAdmin 4: from 6.0 before 9.16.

Risk And Classification

Primary CVSS: v4.0 5.3 MEDIUM from f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-601 | CWE-601 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Version	Source	Type	Score	Severity	Vector
4.0	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	Secondary	5.3	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/C...`
4.0	CNA	CVSS	5.3	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
3.1	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	Secondary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`
3.1	CNA	CVSS	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N`

CVSS v4.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Passive

Confidentiality

None

Integrity

Low

Availability

None

Sub Conf.

None

Sub Integrity

None

Sub Availability

None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Pgadmin.org	PgAdmin 4	affected 6.0 9.16 custom	Not specified

References

Reference	Source	Link	Tags
github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a907...	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	github.com
github.com/pgadmin-org/pgadmin4/issues/10028	f86ef6dc-4d3a-42ad-8f28-e6d5547a5007	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Mai Phạm Hiền <[email protected]> (en)

CNA: Dave Page <[email protected]> (en)

CNA: Kundan Sable <[email protected]> (en)

There are currently no legacy QID mappings associated with this CVE.