CVE-2026-6667 PUBLISHED

PgBouncer missing authorization check in KILL_CLIENT admin command

Assigner: PostgreSQL
Reserved: 20.04.2026 Published: 09.05.2026 Updated: 09.05.2026

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	n/a
Product	PgBouncer
Versions	Default: unaffected affected from 0 to 1.25.2 (excl.)

Credits

Thanks to HarutoKimura for finding and reporting this problem. finder

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x

Problem Types

Missing Authorization CWE