CVE-2026-6667

MEDIUM

PgBouncer missing authorization check in KILL_CLIENT admin command

Title source: cna

Description

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

References (1)

Core 1

Core References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x

Scores

CVSS v3 4.3

EPSS 0.0029

EPSS Percentile 20.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

None/PgBouncer < 1.25.2

pgbouncer/pgbouncer < 1.25.2

Published May 09, 2026

Tracked Since May 09, 2026