Impact statement: pgAdmin 4 version 9.15 fixes a security cluster affecting pgAdmin server-mode deployments. The most important fixes include CVE-2026-7813 for cross-user data access and shared-server privilege exposure, CVE-2026-7816 for command execution risk in export workflows, CVE-2026-7818 for unsafe session handling that could lead to remote code execution, and related fixes for SQL injection, path traversal, SSRF/LFI, stored XSS, and account-lockout bypass. For hosting providers and database admins, the practical risk is unauthorized access to saved server connections, database metadata, exports, session data, and the pgAdmin host itself.
This is a protect-only guide. We are not publishing attack steps, scanner-ready checks, request details, or lab notes. The safe answer is to update pgAdmin 4 to 9.15 or newer, reduce public exposure, restart the service, review users and saved server definitions, and check logs for suspicious administrative activity.
Who Is Affected
- pgAdmin 4 server-mode deployments older than 9.15.
- Docker and containerized pgAdmin installs exposed to teams, customers, developers, or support staff.
- Linux package installs used as shared PostgreSQL administration portals.
- Windows Server or admin workstations that run pgAdmin for production database access.
- Hosting providers, SaaS teams, agencies, and MSPs with saved database server definitions or shared-server access.
The desktop-only risk is lower than an exposed shared pgAdmin web portal, but it still matters on admin workstations that connect to production databases. Treat public or VPN-reachable server-mode pgAdmin as the urgent patch lane.
Patch First
Back up the pgAdmin configuration and confirm how the service is installed before changing packages or containers. If pgAdmin stores saved server definitions for production databases, plan a short maintenance window and notify admins who may be connected.
Docker Or Compose
docker pull dpage/pgadmin4:9.15
docker compose pull pgadmin
docker compose up -d pgadmin
docker compose logs --tail=100 pgadmin
If your compose service has a different name, replace pgadmin with the service name from your stack. Confirm the image tag, health status, and login page after the restart.
Linux Packages
sudo apt update
sudo apt install --only-upgrade pgadmin4 pgadmin4-web
sudo systemctl restart apache2 2>/dev/null || true
sudo systemctl restart httpd 2>/dev/null || true
On RHEL, AlmaLinux, Rocky Linux, or CloudLinux systems that use a pgAdmin repository, use your normal package manager and then restart the web service that serves pgAdmin.
sudo dnf upgrade 'pgadmin4*'
sudo systemctl restart httpd 2>/dev/null || true
sudo systemctl restart nginx 2>/dev/null || true
Python Package Installs
python3 -m pip show pgadmin4
python3 -m pip install --upgrade 'pgadmin4>=9.15'
python3 -m pip show pgadmin4
Windows Admin Machines
Download the current pgAdmin installer from the official pgAdmin download page, close pgAdmin, install the update, and reopen it. For Windows Server machines or support workstations that connect to customer databases, update during a support window and confirm the installed pgAdmin version before reconnecting to production systems.
Temporary Protection If You Cannot Patch Today
- Remove public Internet access to pgAdmin and require VPN, SSO, or an IP allowlist.
- Disable shared-server features where they are not required.
- Limit pgAdmin to a small admin group until the update is complete.
- Rotate credentials for saved database connections if you suspect unauthorized access.
- Apply WAF or reverse-proxy controls for suspicious admin and export behavior while patching is pending.
- Block old staging copies, forgotten containers, and developer-only pgAdmin instances from public networks.
Safe Review Checklist
After patching, review pgAdmin like a shared administrative portal. Look for unexpected accounts, changed saved servers, unusual export/download behavior, failed logins, unfamiliar source IPs, and changes to database roles.
docker compose ps pgadmin
docker compose logs --since=24h pgadmin | tail -200
python3 -m pip show pgadmin4 2>/dev/null || true
For Linux package installs, also review the web server logs that front pgAdmin. For Windows admin workstations, review the local install version, browser history around pgAdmin access if relevant, and any saved database credentials that should be rotated.
Hosting Provider Checklist
- Inventory pgAdmin containers, package installs, and support workstations.
- Prioritize shared portals, customer-accessible admin tools, and pgAdmin instances with saved production database connections.
- Update to pgAdmin 4.9.15 or newer and restart the serving container or web service.
- Confirm that pgAdmin is not exposed directly to the public Internet.
- Review admin users, saved server definitions, recent exports, and authentication logs.
- Notify database owners if credentials were stored in a shared pgAdmin instance and exposure is suspected.
What To Tell Customers
Tell customers that pgAdmin released a security update for shared web deployments. The update fixes several access-control and server-side handling issues. If you host pgAdmin for them, the safe path is to update, restart, confirm access controls, and review recent admin activity. Customers do not need exploit details; they need to know whether their database admin portal was exposed and whether saved credentials should be rotated.