pgAdmin 4 versions prior to 9.15 have an improper restriction of excessive authentication attempts (CWE-307) vulnerability. The application enforces MAX_LOGIN_ATTEMPTS only on its custom /authenticate/login endpoint, but the default Flask-Security /login endpoint does not check the User.locked field due to reliance on UserMixin.is_locked() which always returns 'not locked'. Consequently, attackers can bypass account lockout by submitting credentials directly to /login, enabling unlimited online password guessing attacks against INTERNAL authentication accounts. The fix involves overriding User.is_active and User.is_locked() to enforce the locked status on all authentication paths. External authentication methods are not affected because they do not use local passwords and are rejected before the locked check.

An attacker can bypass brute-force protection controls for INTERNAL authentication accounts by using the /login endpoint instead of /authenticate/login, allowing unlimited password guessing attempts. This could lead to unauthorized access to accounts with valid credentials. The impact is limited to INTERNAL authentication users; other authentication methods are not affected. There is no indication of denial of service or privilege escalation beyond account compromise.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider restricting access to the /login endpoint or implementing additional external rate limiting controls to mitigate brute-force attacks on INTERNAL accounts. Monitoring for unusual authentication activity targeting INTERNAL users may also help detect exploitation attempts.