{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-12049","assignerOrgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","state":"PUBLISHED","assignerShortName":"PostgreSQL","dateReserved":"2026-06-11T20:40:09.111Z","datePublished":"2026-06-18T23:37:43.328Z","dateUpdated":"2026-06-22T14:39:56.925Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007","shortName":"PostgreSQL","dateUpdated":"2026-06-18T23:37:43.328Z"},"title":"pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter","affected":[{"vendor":"pgadmin.org","product":"pgAdmin 4","repo":"https://github.com/pgadmin-org/pgadmin4","modules":["Authentication","Multi-Factor Authentication"],"programFiles":["https://github.com/pgadmin-org/pgadmin4/blob/master/web/pgadmin/authenticate/mfa/views.py"],"versions":[{"status":"affected","version":"6.0","lessThan":"9.16","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.\n\nThe defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.\n\nFix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.\n\nThis issue affects pgAdmin 4: from 6.0 before 9.16."}],"references":[{"url":"https://github.com/pgadmin-org/pgadmin4/issues/10028","tags":["issue-tracking"]},{"url":"https://github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a9076d204cd","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"Attacker delivers a crafted /mfa/validate?next=<external> URL to a logged-in pgAdmin user (typically via phishing). The endpoint requires login_required so the victim must already be authenticated to pgAdmin -- but the *attacker* needs no pgAdmin privileges at all to construct and deliver the link (PR:N). UI:R captures the click. Scope is unchanged: the defect does not grant the attacker access to pgAdmin's authority or the victim's database session; it only launders the attacker's destination through pgAdmin's URL, which raises credential-phishing success rates. C:N and A:N follow from the same reasoning; I:L acknowledges the integrity impact of an authenticated-flow redirect that lends pgAdmin's trust to an attacker domain.\n\nReviewer note (Dave Page, 2026-06-11): defensible at 4.3 for a token-free open redirect. Heads-up that NVD house style for open redirects often lands at S:C/C:L/I:L -> 6.1, so expect a possible upward rescore by the NVD analyst."}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":4.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"Same reasoning as the CVSS 3.1 entry: the attacker needs no pgAdmin privileges to craft the link, the victim must click it (UI:P), and the defect grants no new vulnerable-system or subsequent-system capability beyond a trusted-domain redirect that aids downstream phishing (VI:L only)."}],"cvssV4_0":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","baseScore":5.3,"baseSeverity":"MEDIUM"}}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-601 URL Redirection to Untrusted Site ('Open Redirect')","cweId":"CWE-601","type":"CWE"}]}],"credits":[{"lang":"en","value":"Mai Phạm Hiền <mai.phamhien171@gmail.com>","type":"finder"},{"lang":"en","value":"Dave Page <page@pgadmin.org>","type":"remediation developer"},{"lang":"en","value":"Kundan Sable <kundan.sable@enterprisedb.com>","type":"remediation reviewer"}],"source":{"discovery":"EXTERNAL"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-22T14:39:40.324350Z","id":"CVE-2026-12049","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-22T14:39:56.925Z"}}]}}