CVE-2024-9014 – pgAdmin versions 8.11 and earlier have an OAuth... (How to Fix)

Q: What is the severity of CVE-2024-9014?

CVE-2024-9014 has a CVSS score of 9.9 (CRITICAL). pgAdmin versions 8.11 and earlier have an OAuth2 authentication vulnerability that could expose client IDs and secrets. This allows attackers to potentially gain unauthorized access to user data through compromised credentials. All pgAdmin deployments using OAuth2 authentication in affected versions are at risk.

📋 TL;DR

pgAdmin versions 8.11 and earlier have an OAuth2 authentication vulnerability that could expose client IDs and secrets. This allows attackers to potentially gain unauthorized access to user data through compromised credentials. All pgAdmin deployments using OAuth2 authentication in affected versions are at risk.

💻 Affected Systems

Products:

pgAdmin

Versions: 8.11 and earlier

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects installations with OAuth2 authentication enabled. Default installations without OAuth2 are not vulnerable.

📦 What is this software?

Pgadmin 4 by Pgadmin

View all CVEs affecting Pgadmin 4 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of pgAdmin instances leading to unauthorized database access, data exfiltration, and potential lateral movement to backend PostgreSQL servers.

🟠

Likely Case

Unauthorized access to pgAdmin interface allowing viewing/modification of database configurations, credentials, and sensitive data.

🟢

If Mitigated

Limited exposure if OAuth2 is not enabled or if network segmentation prevents external access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to the pgAdmin instance and knowledge of OAuth2 configuration. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.12 or later

Vendor Advisory: https://github.com/pgadmin-org/pgadmin4/issues/7945

Restart Required: Yes

Instructions:

1. Backup current pgAdmin configuration. 2. Upgrade to pgAdmin 8.12 or later. 3. Restart pgAdmin service. 4. Verify OAuth2 functionality.

🔧 Temporary Workarounds

Disable OAuth2 Authentication

all

Temporarily disable OAuth2 authentication until patching is possible

Edit pgAdmin config.py or config_local.py and set OAUTH2_AUTO_CREATE_USER = False
Restart pgAdmin service

Network Restriction

all

Restrict network access to pgAdmin instance

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Disable OAuth2 authentication entirely and use alternative authentication methods
Implement strict network segmentation and access controls around pgAdmin instances

🔍 How to Verify

Check if Vulnerable:

Check pgAdmin version and OAuth2 configuration. If version <= 8.11 and OAUTH2_AUTO_CREATE_USER = True, system is vulnerable.

Check Version:

pgadmin4 --version or check web interface About page

Verify Fix Applied:

Verify pgAdmin version is 8.12 or later and OAuth2 functionality works without exposing credentials.

📡 Detection & Monitoring

Log Indicators:

Unusual OAuth2 authentication patterns
Multiple failed OAuth2 attempts from same source
Access from unexpected IP addresses

Network Indicators:

Unusual traffic to /oauth2/ endpoints
Credential harvesting patterns

SIEM Query:

source="pgadmin" AND (event="oauth2" OR event="authentication") AND status="success" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-9014

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-522

Published: September 23, 2024

Last Updated: September 22, 2025

🔗 References

https://github.com/pgadmin-org/pgadmin4/issues/7945 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9014, you might also want to check these: