CVE-2025-46801

CRITICAL

Pgpool-II - Auth Bypass

Title source: llm

Description

Pgpool-II provided by PgPool Global Development Group contains an authentication bypass by primary weakness vulnerability. if the vulnerability is exploited, an attacker may be able to log in to the system as an arbitrary user, allowing them to read or tamper with data in the database, and/or disable the database.

References (3)

[Various Sources] https://www.pgpool.net/mediawiki/index.php/Main_Page#News

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/10/msg00014.html

[Third Party Advisory] https://jvn.jp/en/jp/JVN06238225/

Scores

CVSS v3 9.8

EPSS 0.0010

EPSS Percentile 27.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-305

Status published

Products (7)

PgPool Global Development Group/Pgpool-II 4.2.0 to 4.2.21

PgPool Global Development Group/Pgpool-II 4.3.0 to 4.3.14

PgPool Global Development Group/Pgpool-II 4.4.0 to 4.4.11

PgPool Global Development Group/Pgpool-II 4.5.0 to 4.5.6

PgPool Global Development Group/Pgpool-II 4.6.0

PgPool Global Development Group/Pgpool-II All versions of 4.0 series

PgPool Global Development Group/Pgpool-II All versions of 4.1 series

Published May 19, 2025

Tracked Since Feb 18, 2026