CVE-2026-6667

MEDIUM 4.3

PgBouncer missing authorization check in KILL_CLIENT admin command

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

CWE	CWE-862
Vendor	n/a
Product	pgbouncer
Published	May 9, 2026

Stay Ahead of the Next One

Get instant alerts for n/a pgbouncer

Be the first to know when new medium vulnerabilities affecting n/a pgbouncer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

n/a / PgBouncer

0 < 1.25.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

pgbouncer.org: https://www.pgbouncer.org/changelog.html#pgbouncer-125x

Credits

Thanks to HarutoKimura for finding and reporting this problem.