High severityNVD Advisory· Published Sep 4, 2025· Updated Feb 26, 2026

Cross-Origin Opener Policy Vulnerability in pgAdmin 4

CVE-2025-9636

Description

pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pgadmin4PyPI	< 9.8	9.8

Affected products

Pgadmin.org/Pgadmin 4v5
Range: 0

Patches

cdeb18fcbb13

Fixed Cross-Origin Opener Policy (COOP) vulnerability in the OAuth 2.0 authentication flow (CVE-2025-9636). #9114

https://github.com/pgadmin-org/pgadmin4Khushboo VashiSep 1, 2025via ghsa

commit

3 files changed · +13 −0

docs/en_US/release_notes_9_8.rst+1 −0 modified

@@ -35,4 +35,5 @@ Bug fixes
 
   | `Issue #9090 <https://github.com/pgadmin-org/pgadmin4/issues/9090>`_ -  Pin Paramiko to version 3.5.1 to fix the DSSKey error introduced in the latest release.
   | `Issue #9095 <https://github.com/pgadmin-org/pgadmin4/issues/9095>`_ -  Fixed an issue where pgAdmin config migration was failing while upgrading to v9.7.
+  | `Issue #9114 <https://github.com/pgadmin-org/pgadmin4/issues/9114>`_ -  Fixed Cross-Origin Opener Policy (COOP) vulnerability in the OAuth 2.0 authentication flow (CVE-2025-9636).
   | `Issue #9116 <https://github.com/pgadmin-org/pgadmin4/issues/9116>`_ -  Fixed an issue where editor shortcuts fail when using Option key combinations on macOS, due to macOS treating Option+Key as a different key input.
\ No newline at end of file

web/config.py+11 −0 modified

@@ -129,6 +129,17 @@
 # See https://tools.ietf.org/html/rfc7034 for more info.
 X_FRAME_OPTIONS = "SAMEORIGIN"
 
+
+# The Cross-Origin-Opener-Policy allows a website to control whether
+# a new top-level document, opened using Window.open() or by navigating
+# to a new page, is opened in the same browsing context group (BCG)
+# or in a new browsing context group.
+# Set to 'unsafe-none', 'same-origin-allow-popups', 'same-origin',
+# or 'noopener-allow-popups'
+
+CROSS_ORIGIN_OPENER_POLICY = "same-origin"
+
+
 # The Content-Security-Policy header allows you to restrict how resources
 # such as JavaScript, CSS, or pretty much anything that the browser loads.
 # see https://content-security-policy.com/#source_list for more info

web/pgadmin/utils/security_headers.py+1 −0 modified

@@ -21,6 +21,7 @@ def set_response_headers(response):
             'X_CONTENT_TYPE_OPTIONS': 'X-Content-Type-Options',
             'X_XSS_PROTECTION': 'X-XSS-Protection',
             'WEB_SERVER': 'Server',
+            'CROSS_ORIGIN_OPENER_POLICY': 'Cross-Origin-Opener-Policy'
         }
 
         # X-Frame-Options for security

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6859-2qxq-ffv2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-9636ghsaADVISORY
github.com/pgadmin-org/pgadmin4/commit/cdeb18fcbb139a200b5a4779c82f9cd1aaaf3c89ghsaWEB
github.com/pgadmin-org/pgadmin4/issues/9114ghsaissue-trackingWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000