Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=<external> -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.
The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.
Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.
This issue affects pgAdmin 4: from 6.0 before 9.16.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS Score: 4.3
Attacker delivers a crafted /mfa/validate?next=<external> URL to a logged-in pgAdmin user (typically via phishing). The endpoint requires login_required so the victim must already be authenticated to pgAdmin -- but the attacker needs no pgAdmin privileges at all to construct and deliver the link (PR:N). UI:R captures the click. Scope is unchanged: the defect does not grant the attacker access to pgAdmin's authority or the victim's database session; it only launders the attacker's destination through pgAdmin's URL, which raises credential-phishing success rates. C:N and A:N follow from the same reasoning; I:L acknowledges the integrity impact of an authenticated-flow redirect that lends pgAdmin's trust to an attacker domain.
Reviewer note (Dave Page, 2026-06-11): defensible at 4.3 for a token-free open redirect. Heads-up that NVD house style for open redirects often lands at S:C/C:L/I:L -> 6.1, so expect a possible upward rescore by the NVD analyst.
| Attack Vector |
Network |
Scope |
Unchanged |
| Attack Complexity |
Low |
Confidentiality Impact |
None |
| Privileges Required |
None |
Integrity Impact |
Low |
| User Interaction |
Required |
Availability Impact |
None |
Attacker delivers a crafted /mfa/validate?next=<external> URL to a logged-in pgAdmin user (typically via phishing). The endpoint requires login_required so the victim must already be authenticated to pgAdmin -- but the attacker needs no pgAdmin privileges at all to construct and deliver the link (PR:N). UI:R captures the click. Scope is unchanged: the defect does not grant the attacker access to pgAdmin's authority or the victim's database session; it only launders the attacker's destination through pgAdmin's URL, which raises credential-phishing success rates. C:N and A:N follow from the same reasoning; I:L acknowledges the integrity impact of an authenticated-flow redirect that lends pgAdmin's trust to an attacker domain.
Reviewer note (Dave Page, 2026-06-11): defensible at 4.3 for a token-free open redirect. Heads-up that NVD house style for open redirects often lands at S:C/C:L/I:L -> 6.1, so expect a possible upward rescore by the NVD analyst.
CVSS 3.1
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3
Same reasoning as the CVSS 3.1 entry: the attacker needs no pgAdmin privileges to craft the link, the victim must click it (UI:P), and the defect grants no new vulnerable-system or subsequent-system capability beyond a trusted-domain redirect that aids downstream phishing (VI:L only).
| Exploitability Metrics |
Vulnerable System Impact Metrics |
Subsequent System Impact Metrics |
| Attack Vector |
Network |
Confidentiality |
None |
Confidentiality |
None |
| Attack Complexity |
Low |
Integrity |
Low |
Integrity |
None |
| Attack Requirements |
None |
Availability |
None |
Availability |
None |
| Privileges Required |
None |
| User Interaction |
Passive |
Same reasoning as the CVSS 3.1 entry: the attacker needs no pgAdmin privileges to craft the link, the victim must click it (UI:P), and the defect grants no new vulnerable-system or subsequent-system capability beyond a trusted-domain redirect that aids downstream phishing (VI:L only).
CVSS 4.0