SB20260105123 - SUSE update for pgadmin4

Security Bulletin ID SB20260105123

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) LDAP injection (CVE-ID: CVE-2025-12764)

CWE-ID: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote non-authenticated attacker can pass a specially crafted username to the application causing the DC/LDAP server and the client to process unusual amount of data, leading to a denial of service condition.

2) Improper certificate validation (CVE-ID: CVE-2025-12765)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper TLS certificate validation in the LDAP authentication mechanism. The application accepts self-signed/invalid server certificates and completes TLS, enabling attackers to intercept LDAP credentials.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2026/suse-su-20260015-1/

SB20260105123 - SUSE update for pgadmin4

Breakdown by Severity

Description

Remediation

References

Please verify you're human