Vulnerability Details CVE-2026-12049
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.
The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.
Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.
This issue affects pgAdmin 4: from 6.0 before 9.16.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 16.9%
CVSS Severity
CVSS v3 Score 4.3
References
Products affected by CVE-2026-12049
-
cpe:2.3:a:pgadmin:pgadmin_4:6.0
-
cpe:2.3:a:pgadmin:pgadmin_4:6.1
-
cpe:2.3:a:pgadmin:pgadmin_4:6.10
-
cpe:2.3:a:pgadmin:pgadmin_4:6.11
-
cpe:2.3:a:pgadmin:pgadmin_4:6.12
-
cpe:2.3:a:pgadmin:pgadmin_4:6.13
-
cpe:2.3:a:pgadmin:pgadmin_4:6.14
-
cpe:2.3:a:pgadmin:pgadmin_4:6.15
-
cpe:2.3:a:pgadmin:pgadmin_4:6.16
-
cpe:2.3:a:pgadmin:pgadmin_4:6.17
-
cpe:2.3:a:pgadmin:pgadmin_4:6.18
-
cpe:2.3:a:pgadmin:pgadmin_4:6.19
-
cpe:2.3:a:pgadmin:pgadmin_4:6.2
-
cpe:2.3:a:pgadmin:pgadmin_4:6.20
-
cpe:2.3:a:pgadmin:pgadmin_4:6.21
-
cpe:2.3:a:pgadmin:pgadmin_4:6.3
-
cpe:2.3:a:pgadmin:pgadmin_4:6.4
-
cpe:2.3:a:pgadmin:pgadmin_4:6.5
-
cpe:2.3:a:pgadmin:pgadmin_4:6.6
-
cpe:2.3:a:pgadmin:pgadmin_4:6.7
-
cpe:2.3:a:pgadmin:pgadmin_4:6.8
-
cpe:2.3:a:pgadmin:pgadmin_4:6.9
-
cpe:2.3:a:pgadmin:pgadmin_4:7.0
-
cpe:2.3:a:pgadmin:pgadmin_4:7.1
-
cpe:2.3:a:pgadmin:pgadmin_4:7.2
-
cpe:2.3:a:pgadmin:pgadmin_4:7.3
-
cpe:2.3:a:pgadmin:pgadmin_4:7.4
-
cpe:2.3:a:pgadmin:pgadmin_4:7.5
-
cpe:2.3:a:pgadmin:pgadmin_4:7.6
-
cpe:2.3:a:pgadmin:pgadmin_4:7.7
-
cpe:2.3:a:pgadmin:pgadmin_4:7.8
-
cpe:2.3:a:pgadmin:pgadmin_4:8.0
-
cpe:2.3:a:pgadmin:pgadmin_4:8.1
-
cpe:2.3:a:pgadmin:pgadmin_4:8.10
-
cpe:2.3:a:pgadmin:pgadmin_4:8.11
-
cpe:2.3:a:pgadmin:pgadmin_4:8.12
-
cpe:2.3:a:pgadmin:pgadmin_4:8.13
-
cpe:2.3:a:pgadmin:pgadmin_4:8.14
-
cpe:2.3:a:pgadmin:pgadmin_4:8.2
-
cpe:2.3:a:pgadmin:pgadmin_4:8.3
-
cpe:2.3:a:pgadmin:pgadmin_4:8.4
-
cpe:2.3:a:pgadmin:pgadmin_4:8.5
-
cpe:2.3:a:pgadmin:pgadmin_4:8.6
-
cpe:2.3:a:pgadmin:pgadmin_4:8.7
-
cpe:2.3:a:pgadmin:pgadmin_4:8.8
-
cpe:2.3:a:pgadmin:pgadmin_4:8.9
-
cpe:2.3:a:pgadmin:pgadmin_4:9.0
-
cpe:2.3:a:pgadmin:pgadmin_4:9.1
-
cpe:2.3:a:pgadmin:pgadmin_4:9.10
-
cpe:2.3:a:pgadmin:pgadmin_4:9.2
-
cpe:2.3:a:pgadmin:pgadmin_4:9.3
-
cpe:2.3:a:pgadmin:pgadmin_4:9.4
-
cpe:2.3:a:pgadmin:pgadmin_4:9.5
-
cpe:2.3:a:pgadmin:pgadmin_4:9.6
-
cpe:2.3:a:pgadmin:pgadmin_4:9.7
-
cpe:2.3:a:pgadmin:pgadmin_4:9.8
-
cpe:2.3:a:pgadmin:pgadmin_4:9.9