pgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account Lockout
CVE-2026-7820 (CVSS 6.5) in pgAdmin 4 lets attackers brute-force passwords via Flask-Security's default /login view, bypassing MAXLOGINATTEMPTS enforcement.
Executive Summary
pgAdmin 4, the widely used open-source administration and management tool for PostgreSQL, carries a vulnerability tracked as CVE-2026-7820 that allows remote attackers to bypass account lockout protections and brute-force user passwords. The flaw, assigned a CVSS score of 6.5 (medium severity), stems from an improper restriction of excessive authentication attempts (CWE-307) in the application's authentication logic. According to the project's GitHub issue tracker, pgAdmin enforces a MAX_LOGIN_ATTEMPTS limit only within its custom /authenticate/login view, but Flask-Security's default /login view — registered automatically by security.init_app() and reachable on every server — never consults the User.locked field. This means an attacker can send login requests to the default endpoint indefinitely without triggering account lockout. The issue was disclosed in pgAdmin's GitHub repository, and a fix has been merged.
Technical Analysis
The vulnerability lies in how pgAdmin integrates with Flask-Security, a popular extension for adding authentication features to Flask applications. pgAdmin's developers implemented a custom authentication view at /authenticate/login that checks the User.locked attribute before allowing login attempts. If the user exceeds MAX_LOGIN_ATTEMPTS, the account is locked, and further attempts via this view are rejected.
However, Flask-Security's security.init_app() function automatically registers a default /login route that bypasses pgAdmin's custom logic. This default view uses Flask-Security's built-in authentication flow, which does not inspect the User.locked field. The User.locked field is defined in pgAdmin's User model via Flask-Security's UserMixin.is_locked property, but the default login handler never references it. As a result, an attacker can send POST requests to /login with guessed credentials indefinitely, without the account being locked out.
The issue is documented in pgAdmin's GitHub issue #9904, where developers confirmed that the default Flask-Security login endpoint is accessible on all pgAdmin 4 server-mode installations. The fix involves either disabling the default /login route or overriding Flask-Security's authentication handler to incorporate the lockout check. The patch was merged into the pgAdmin 4 codebase on April 28, 2026, according to the commit history.
Notably, this flaw affects pgAdmin 4 when running in server mode — the most common deployment for multi-user environments, where administrators manage PostgreSQL instances remotely via a web browser. The attack does not require authentication; any remote attacker with network access to the pgAdmin web interface can exploit it.
Mitigations & Recommendations
pgAdmin users should upgrade to the latest version of pgAdmin 4 that includes the fix for CVE-2026-7820. As of this writing, the patched version is pgAdmin 4 v9.2 or later, depending on the release branch. Administrators who cannot immediately upgrade should consider restricting network access to the pgAdmin web interface using firewall rules or VPNs, limiting exposure to trusted IP ranges. Additionally, monitoring logs for repeated failed authentication attempts against the /login endpoint can help detect active brute-force campaigns. The pgAdmin project recommends that users verify their deployment does not expose the default Flask-Security login route; this can be checked by navigating to /login in a browser and observing whether a login form appears.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
