CVE-2024-3116 – pgAdmin versions up to 8.4 contain a remote cod... (How to Fix)

Q: How do I fix CVE-2024-3116?

1. Backup your pgAdmin configuration and data. 2. Upgrade to pgAdmin 8.5 or later. 3. Restart the pgAdmin service. 4. Verify the upgrade was successful.

Q: What is the severity of CVE-2024-3116?

CVE-2024-3116 has a CVSS score of 7.4 (HIGH). pgAdmin versions up to 8.4 contain a remote code execution vulnerability in the validate binary path API. Attackers can exploit this to execute arbitrary code on the server hosting pgAdmin, potentially compromising the database management system and underlying data. All users running pgAdmin <= 8.4 are affected.

📋 TL;DR

pgAdmin versions up to 8.4 contain a remote code execution vulnerability in the validate binary path API. Attackers can exploit this to execute arbitrary code on the server hosting pgAdmin, potentially compromising the database management system and underlying data. All users running pgAdmin <= 8.4 are affected.

💻 Affected Systems

Products:

pgAdmin

Versions: <= 8.4

Operating Systems: All platforms running pgAdmin

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Pgadmin 4 by Pgadmin

View all CVEs affecting Pgadmin 4 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to database takeover, data exfiltration, and lateral movement to other systems.

🟠

Likely Case

Unauthorized code execution on the pgAdmin server, potentially allowing database access and manipulation.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Internet-facing pgAdmin instances are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable but require network access; risk depends on internal security controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5 and later

Vendor Advisory: https://github.com/pgadmin-org/pgadmin4/issues/7326

Restart Required: Yes

Instructions:

1. Backup your pgAdmin configuration and data. 2. Upgrade to pgAdmin 8.5 or later. 3. Restart the pgAdmin service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to pgAdmin to only trusted IP addresses or internal networks.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 5050 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 5050 -j DROP

Disable Vulnerable API Endpoint

all

If possible, disable or block access to the validate binary path API endpoint.

Configure web server (e.g., nginx, Apache) to block requests to /validate_binary_path or similar vulnerable endpoints

🧯 If You Can't Patch

Isolate pgAdmin server from internet and restrict internal network access to only necessary users.
Implement strict monitoring and alerting for suspicious activities on the pgAdmin server.

🔍 How to Verify

Check if Vulnerable:

Check pgAdmin version: if version <= 8.4, you are vulnerable.

Check Version:

pgadmin4 --version or check the web interface About page

Verify Fix Applied:

After upgrading, verify version is 8.5 or later and test that the validate binary path API no longer accepts malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /validate_binary_path or similar API endpoints
Suspicious command execution in server logs
Failed authentication attempts followed by API exploitation

Network Indicators:

Unusual outbound connections from pgAdmin server
Traffic to known malicious IPs or domains

SIEM Query:

source="pgadmin.log" AND (url_path="/validate_binary_path" OR cmd_exec*)

📊 Metadata

CVE ID: CVE-2024-3116

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-77

Published: April 4, 2024

Last Updated: March 17, 2025

🔗 References

https://gist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98 Exploit,Third Party Advisory
https://github.com/pgadmin-org/pgadmin4/issues/7326 Exploit,Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIF5T34JTTYRGIN5YPT366BDFG6452A2/ Mailing List
https://gist.github.com/aelmokhtar/689a8be7e3bd535ec01992d8ec7b2b98 Exploit,Third Party Advisory
https://github.com/pgadmin-org/pgadmin4/issues/7326 Exploit,Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIF5T34JTTYRGIN5YPT366BDFG6452A2/ Mailing List
https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3116, you might also want to check these: