CVE-2025-9636 – pgAdmin versions up to 9.7 have a Cross-Origin ... (How to Fix)

Q: How do I fix CVE-2025-9636?

1. Backup current pgAdmin configuration. 2. Upgrade to pgAdmin 9.8 or later. 3. Restart pgAdmin service. 4. Verify OAuth functionality.

Q: What is the severity of CVE-2025-9636?

CVE-2025-9636 has a CVSS score of 7.9 (HIGH). pgAdmin versions up to 9.7 have a Cross-Origin Opener Policy vulnerability that allows attackers to manipulate OAuth authentication flows. This could lead to unauthorized account access, account takeover, and data breaches. All pgAdmin users running vulnerable versions are affected.

📋 TL;DR

pgAdmin versions up to 9.7 have a Cross-Origin Opener Policy vulnerability that allows attackers to manipulate OAuth authentication flows. This could lead to unauthorized account access, account takeover, and data breaches. All pgAdmin users running vulnerable versions are affected.

💻 Affected Systems

Products:

pgAdmin

Versions: <= 9.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all pgAdmin deployments using OAuth authentication. Default installations are vulnerable.

📦 What is this software?

Pgadmin 4 by Pgadmin

View all CVEs affecting Pgadmin 4 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to unauthorized database access, privilege escalation, and potential data exfiltration.

🟠

Likely Case

Unauthorized access to pgAdmin accounts, potentially exposing database credentials and sensitive data.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but authentication bypass still possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to trick user into visiting malicious site while authenticated to pgAdmin. OAuth manipulation needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.8 or later

Vendor Advisory: https://github.com/pgadmin-org/pgadmin4/issues/9114

Restart Required: Yes

Instructions:

1. Backup current pgAdmin configuration. 2. Upgrade to pgAdmin 9.8 or later. 3. Restart pgAdmin service. 4. Verify OAuth functionality.

🔧 Temporary Workarounds

Disable OAuth Authentication

all

Temporarily disable OAuth authentication and use alternative authentication methods

Edit pgAdmin config.py and set OAUTH2_ENABLED = False

Network Isolation

all

Restrict pgAdmin access to trusted networks only

Configure firewall rules to limit pgAdmin port access

🧯 If You Can't Patch

Implement strict network access controls to limit pgAdmin exposure
Enable multi-factor authentication and monitor for suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check pgAdmin version via web interface or command line. Versions <= 9.7 are vulnerable.

Check Version:

pgadmin4 --version

Verify Fix Applied:

Verify pgAdmin version is 9.8 or later and test OAuth authentication flow.

📡 Detection & Monitoring

Log Indicators:

Unusual OAuth authentication patterns
Multiple failed authentication attempts from unexpected sources

Network Indicators:

Suspicious cross-origin requests to pgAdmin OAuth endpoints

SIEM Query:

source="pgadmin" AND (event="oauth_callback" OR event="authentication") AND status="success" FROM unexpected_ip

📊 Metadata

CVE ID: CVE-2025-9636

CVSS v3 Score: 7.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-346

EPSS Score: 0.02% exploit probability (4.9th percentile)

Published: September 4, 2025

Last Updated: September 11, 2025

🔗 References

https://github.com/pgadmin-org/pgadmin4/issues/9114 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9636, you might also want to check these: