CVE-2026-1707
Restore restriction bypass via key disclosure vulnerability (pgAdmin 4)
CVSS Score
7.4
EPSS Score
0.0%
EPSS Percentile
0th
pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `\restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `\unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation.
| Vendor | pgadmin.org |
| Product | pgadmin 4 |
| Published | Feb 5, 2026 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for pgadmin.org pgadmin 4
Be the first to know when new high vulnerabilities affecting pgadmin.org pgadmin 4 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Affected Versions
pgadmin.org / pgAdmin 4
9.11