CVE-2024-2044 – pgAdmin versions up to 8.3 contain a path trave... (How to Fix)

Q: How do I fix CVE-2024-2044?

1. Upgrade pgAdmin to version 8.4 or later. 2. Stop the pgAdmin service. 3. Install the updated version. 4. Restart the pgAdmin service. 5. Verify the version is 8.4+.

Q: What is the severity of CVE-2024-2044?

CVE-2024-2044 has a CVSS score of 9.9 (CRITICAL). pgAdmin versions up to 8.3 contain a path traversal vulnerability in session handling that allows unsafe deserialization of pickle objects, leading to remote code execution. On Windows, unauthenticated attackers can exploit this; on Linux/POSIX systems, authenticated attackers can exploit it. This affects all pgAdmin deployments running vulnerable versions.

📋 TL;DR

pgAdmin versions up to 8.3 contain a path traversal vulnerability in session handling that allows unsafe deserialization of pickle objects, leading to remote code execution. On Windows, unauthenticated attackers can exploit this; on Linux/POSIX systems, authenticated attackers can exploit it. This affects all pgAdmin deployments running vulnerable versions.

💻 Affected Systems

Products:

pgAdmin

Versions: <= 8.3

Operating Systems: Windows, Linux, POSIX-compliant systems

Default Config Vulnerable: ⚠️ Yes

Notes: Windows installations allow unauthenticated exploitation; Linux/POSIX installations require authentication but are still vulnerable.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Pgadmin 4 by Pgadmin

View all CVEs affecting Pgadmin 4 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining remote code execution as the pgAdmin service account, potentially leading to database access, lateral movement, and data exfiltration.

🟠

Likely Case

Attackers exploit the vulnerability to execute arbitrary code on the pgAdmin server, potentially accessing PostgreSQL databases, installing malware, or using the server as a pivot point.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the pgAdmin server itself, though database credentials could still be compromised.

🌐 Internet-Facing: HIGH - Internet-facing pgAdmin servers are directly exploitable by unauthenticated attackers on Windows and authenticated attackers on Linux.

🏢 Internal Only: MEDIUM - Internal servers still vulnerable to authenticated attackers or attackers who gain initial access to the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Windows exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4 and later

Vendor Advisory: https://github.com/pgadmin-org/pgadmin4/issues/7258

Restart Required: Yes

Instructions:

1. Upgrade pgAdmin to version 8.4 or later. 2. Stop the pgAdmin service. 3. Install the updated version. 4. Restart the pgAdmin service. 5. Verify the version is 8.4+.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to pgAdmin to only trusted IP addresses or internal networks.

# Use firewall rules to restrict access
sudo ufw allow from 192.168.1.0/24 to any port 5050
# Or use iptables: sudo iptables -A INPUT -p tcp --dport 5050 -s 192.168.1.0/24 -j ACCEPT

Disable Pickle Session Storage

all

Configure pgAdmin to use alternative session storage mechanisms instead of pickle-based sessions.

# Edit pgAdmin config.py
SESSION_STORAGE = 'filesystem'  # or 'redis', 'memcached'
# Ensure proper file permissions if using filesystem storage

🧯 If You Can't Patch

Immediately restrict network access to pgAdmin server to only necessary users and systems.
Implement application-level WAF rules to detect and block path traversal attempts and pickle deserialization patterns.

🔍 How to Verify

Check if Vulnerable:

Check pgAdmin version via web interface or configuration files. Versions 8.3 and below are vulnerable.

Check Version:

pgadmin4 --version or check the version in the web interface footer.

Verify Fix Applied:

Verify pgAdmin version is 8.4 or higher. Test that session handling no longer accepts pickle objects from untrusted paths.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in session directories
Pickle deserialization errors or warnings
Unauthenticated access attempts to session endpoints on Windows

Network Indicators:

HTTP requests containing pickle objects or unusual session parameters
Requests attempting path traversal patterns (../ sequences)

SIEM Query:

source="pgadmin.log" AND ("pickle" OR "session" OR "deserialize") AND (status!=200 OR method="POST" AND uri CONTAINS "session")

📊 Metadata

CVE ID: CVE-2024-2044

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-31

Published: March 7, 2024

Last Updated: September 19, 2025

🔗 References

https://github.com/pgadmin-org/pgadmin4/issues/7258 Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ Mailing List
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ Exploit,Third Party Advisory
https://github.com/pgadmin-org/pgadmin4/issues/7258 Issue Tracking,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LUYN2JXKKHFSVTASH344TBRGWDH64XQV/ Mailing List
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2044, you might also want to check these: