7.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-9636

GHSA ID

GHSA-6859-2qxq-ffv2

EPSS Score

0.03598%

CWE

CWE-346

Published

9/5/2025

Updated

9/5/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-9636

CVE-2025-9636: pgadmin4 is affected by a Cross-Origin Opener Policy (COOP) vulnerability

pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow, potentially leading to unauthorised account access, account takeover, data breaches, and privilege escalation.

(GitHub Advisory)

7.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-9636

GHSA ID

GHSA-6859-2qxq-ffv2

EPSS Score

0.03598%

CWE

CWE-346

Published

9/5/2025

Updated

9/5/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pgadmin4	pip	< 9.8	9.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Origin Opener Policy (COOP) misconfiguration in pgAdmin4's OAuth flow. The provided commit cdeb18fcbb139a200b5a4779c82f9cd1aaaf3c89 directly addresses this by introducing the Cross-Origin-Opener-Policy header.

The analysis of the patch reveals two key changes:

web/config.py: A new configuration option, CROSS_ORIGIN_OPENER_POLICY, is added and set to "same-origin". This defines the policy to be applied.
web/pgadmin/utils/security_headers.py: The set_response_headers function is modified to read the new configuration setting and add the Cross-Origin-Opener-Policy header to the HTTP response.

The function pgadmin.utils.security_headers.set_response_headers is the central point where the security headers are applied to outgoing responses. The vulnerability existed because this function was not setting the COOP header. By adding this logic, the patch mitigates the vulnerability. Any HTTP response generated during the OAuth flow would pass through this function, and its absence of the COOP header is the root cause of the vulnerability. Therefore, set_response_headers is the most relevant function that would appear in a runtime profile related to this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p***min <= *.* is *****t** *y * *ross-Ori*in Op*n*r Poli*y (*OOP) vuln*r**ility. T*is vuln*r**ility *llows *n *tt**k*r to m*nipul*t* t** O*ut* *low, pot*nti*lly l***in* to un*ut*oris** ***ount ****ss, ***ount t*k*ov*r, **t* *r*****s, *n* privil*** *s

Reasoning

T** vuln*r**ility is * *ross-Ori*in Op*n*r Poli*y (*OOP) mis*on*i*ur*tion in p***min*'s O*ut* *low. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y intro*u*in* t** `*ross-Ori*in-Op*n*r-Poli*y` *****r. T** *n

7.9

Basic Information

Concerned about an active attack path?

CVE-2025-9636: pgadmin4 is affected by a Cross-Origin Opener Policy (COOP) vulnerability

7.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI