VYPR
← All advisories
High severityGHSA Advisory· Published Jan 9, 2025· Updated Aug 27, 2025

Pgadmin: users authenticated simultaneously via ldap may be attached to the wrong session

CVE-2023-1907

Description

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

pgAdmin server mode LDAP authentication concurrently binds a user to an already-authenticated session, enabling session hijacking.

Root

Cause

The vulnerability arises from a race condition in pgAdmin's session handling when LDAP authentication is used in server mode. When multiple users attempt to authenticate simultaneously, the back-end may incorrectly associate a new session with an existing, authenticated session from another user [1][3].

Attack

Vector

The attacker requires network access to a pgAdmin server instance that has LDAP authentication enabled and is running in server mode. No prior authentication is needed, as the flaw manifests during the login process itself. Successful exploitation depends on the timing of concurrent authentication requests [2][3].

Impact

An unauthenticated attacker who triggers a login attempt at the same time as a legitimate user can be bound to that user's active session. This grants the attacker the same privileges and access as the victim, effectively bypassing authentication and allowing unauthorized actions within the pgAdmin interface [1][2].

Mitigation

As of the publication date (2025-01-09), Red Hat's advisory and the NVD entry indicate that the vulnerability has been acknowledged. Users should upgrade to a patched version of pgAdmin to eliminate the race condition. No workaround is mentioned in the provided references [1][2].

References
  1. cve-details
  2. NVD - CVE-2023-1907
  3. users authenticated simultaneously via LDAP may be attached to the wrong session

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pgadmin4PyPI
< 7.07.0

Affected products

18

Patches

1
fa29ba916326

Fixed the LDAP authentication issue for the simultaneous login attempts.

https://github.com/pgadmin-org/pgadmin4Khushboo VashiApr 4, 2023via ghsa
commit
1 file changed · +22 0
  • web/pgadmin/authenticate/__init__.py+22 0 modified
    @@ -12,6 +12,7 @@
 import config
 import copy
 import functools
+from threading import Lock
 
 from flask import current_app, flash, Response, request, url_for, \
     session, redirect, render_template
@@ -35,6 +36,19 @@
 _URL_WITH_NEXT_PARAM = "{0}?next={1}"
 
 
+class AuthLocker:
+    """Implementing lock while authentication."""
+    lock = Lock()
+
+    def __enter__(self):
+        self.lock.acquire()
+        return self
+
+    def __exit__(self, type, value, traceback):
+        if self.lock.locked():
+            self.lock.release()
+
+
 def get_logout_url() -> str:
     """
     Returns the logout url based on the current authentication method.
@@ -83,6 +97,14 @@ def login():
     Entry point for all the authentication sources.
     The user input will be validated and authenticated.
     """
+    with AuthLocker():
+        return _login()
+
+
+def _login():
+    """
+    Internal authentication process locked by a mutex.
+    """
     form = _security.forms.get('login_form').cls(request.form)
     if OAUTH2 in config.AUTHENTICATION_SOURCES \
             and 'oauth2_button' in request.form:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.