The vulnerability in pgAdmin 4's File Manager is due to improper handling of symbolic links during access permission checks. The function check_access_permission uses os.path.abspath, which resolves '..' components but does not resolve symbolic links, while the kernel write operation follows symlinks. This discrepancy allows an authenticated user to plant a symbolic link inside their storage directory that points outside it, causing pgAdmin to write files to unintended paths. The patch changes the access check to use os.path.realpath for both source and destination paths and introduces an _open_upload_target helper that opens the target file with the O_NOFOLLOW flag to prevent TOCTOU (time-of-check to time-of-use) race conditions. File permissions are also hardened from 0o644 to 0o600. This vulnerability affects all versions of pgAdmin 4 prior to 9.15.

An authenticated user with access to pgAdmin 4 can exploit this vulnerability to cause the application to write files to arbitrary locations on the filesystem accessible by the pgAdmin process. This can lead to integrity violations and potentially denial of service or privilege escalation depending on the environment and file targets. The CVSS 3.1 score is 8.1 (High), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impact on integrity and availability.

The vulnerability is fixed in pgAdmin 4 version 9.15 by switching to os.path.realpath for access checks and using O_NOFOLLOW when opening files to prevent symlink following. File permissions are also hardened. Since no official patch link or advisory is provided in the input, users should upgrade to pgAdmin 4 version 9.15 or later where this fix is implemented. Patch status is not yet confirmed from vendor advisory; check the official pgAdmin.org resources for the latest remediation guidance.