This vulnerability in pgAdmin 4 involves an open redirect (CWE-601) in the MFA validate and register endpoints. The 'next' query/form parameter is accepted without verifying that the redirect target is within the pgAdmin domain. An authenticated user clicking a crafted link could be redirected to an external attacker-controlled URL, increasing the risk of successful phishing attacks. The issue affects versions from 6.0 up to but excluding 9.16. The fix adds a same-origin check helper that validates redirect URLs, allowing only relative paths or absolute URLs matching the current host with http(s) schemes, rejecting unsafe targets and falling back to an internal page.

The vulnerability does not allow attackers to read or modify pgAdmin data or bypass privileges. However, it enables attackers to redirect authenticated users to malicious external sites via the MFA flow, potentially increasing the effectiveness of phishing attacks targeting credentials or session tokens.

No official patch or remediation level is explicitly stated in the advisory. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has described a fix involving a same-origin redirect validation helper, so upgrading to pgAdmin 4 version 9.16 or later is expected to resolve the issue. Until patched, users should be cautious of MFA-related links containing 'next' parameters and avoid clicking suspicious URLs.