VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 16, 2022· Updated Aug 2, 2024

CVE-2022-0959

CVE-2022-0959

Description

A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In pgAdmin 4 server mode, an authenticated attacker can exploit a path traversal vulnerability in the file upload function to write files to arbitrary writable directories.

Vulnerability

The vulnerability resides in the file upload mechanism of pgAdmin 4 when running in server mode. The URI handling upload requests fails to validate that the upload path is a child of the user's intended storage directory, allowing path traversal attacks [3][4]. This affects all versions of pgAdmin 4 prior to 6.7 (released 2022-03-14) in server mode; desktop mode is not affected [3][4].

Exploitation

An attacker must be an authenticated user with a valid session cookie and CSRF token [2][4]. The attacker crafts an HTTP request to the upload endpoint, manipulating the path parameter (e.g., using ../ sequences) to specify a destination outside the designated storage directory [3][4]. With a single request, the file is written to the attacker-chosen location.

Impact

Successful exploitation allows the attacker to write uploaded files to any directory the operating system user running pgAdmin has write permissions to [1][2][4]. This can lead to arbitrary file write, potentially resulting in remote code execution if the attacker places a malicious file (e.g., a Python script) in a location that pgAdmin or the server executes [2]. The attacker gains the ability to influence the file system state, possibly escalating privileges within the server context.

Mitigation

The issue is fixed in pgAdmin 4 version 6.7, released on 2022-03-14 [3][4]. Users running pgAdmin in server mode (including container-based deployments) should upgrade immediately [3]. There is no known workaround for users unable to upgrade; the only mitigation is to restrict write permissions on the server to limit the impact of a successful attack [2][4].

References
  1. GitHub - pgadmin-org/pgadmin4: pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
  2. NVD - CVE-2022-0959
  3. Ensure that upload paths are children of the storage directory. Fixes… · pgadmin-org/pgadmin4@dccd4f0
  4. Unrestricted file upload in pgAdmin

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pgadmin4PyPI
< 6.76.7

Affected products

5

Patches

1
dccd4f0bbaaf

Ensure that upload paths are children of the storage directory. Fixes #7233

https://github.com/pgadmin-org/pgadmin4Akshay JoshiMar 11, 2022via ghsa
commit
2 files changed · +17 9
  • docs/en_US/release_notes_6_7.rst+12 8 modified
    @@ -2,21 +2,25 @@
 Version 6.7
 ************
 
-Release date: 2022-03-11
+Release date: 2022-03-14
 
 This release contains a number of bug fixes and new features since the release of pgAdmin4 6.6.
 
-New features
-************
+.. note::  **Security Release**
 
+    Please note that this release includes a security update to fix an issue
+    where a user could upload files to directories outside of their storage directory, when using pgAdmin
+    running in server mode.
 
-Housekeeping
-************
+    Users running pgAdmin in server mode, including the standard container based distribution, should upgrade
+    to this release as soon as possible.
 
+    This issue does not affect users running in desktop mode.
 
 Bug fixes
 *********
 
-| `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
-| `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
-| `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7220 <https://redmine.postgresql.org/issues/7220>`_ -  Fixed a schema diff issue where difference SQL isn't generated when foreign key values for a table differ.
+  | `Issue #7228 <https://redmine.postgresql.org/issues/7228>`_ -  Fixed a schema diff issue where string separator '_$PGADMIN$_' is visible for identical user mappings.
+  | `Issue #7230 <https://redmine.postgresql.org/issues/7230>`_ -  Fixed an issue where pgAdmin 4 took ~75 seconds to display the 'Starting pgAdmin' text on the splash screen.
+  | `Issue #7233 <https://redmine.postgresql.org/issues/7233>`_ -  Ensure that upload paths are children of the storage directory.
  • web/pgadmin/misc/file_manager/__init__.py+5 1 modified
    @@ -985,7 +985,11 @@ def add(self, req=None):
             try:
                 # Check if the new file is inside the users directory
                 if config.SERVER_MODE:
-                    pathlib.Path(new_name).relative_to(the_dir)
+                    pathlib.Path(
+                        os.path.abspath(
+                            os.path.join(the_dir, new_name)
+                        )
+                    ).relative_to(the_dir)
             except ValueError:
                 return self.ERROR_NOT_ALLOWED

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.