Description
PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.
Published: 2026-05-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PgBouncer versions prior to 1.25.2 allowed anyone with administrative console access to issue the KILL_CLIENT command without verifying that the user was listed in the admin_users parameter. This flaw permitted an authenticated administrator to terminate arbitrary client connections, potentially disrupting legitimate users and causing service outages. The weakness is classified as CWE‑862: Authorization Bypass Through User-Controlled Key.

Affected Systems

The vulnerability affects the PgBouncer database connection pooling application. All installations running a version earlier than 1.25.2 are vulnerable, regardless of platform or deployment environment.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. Because the exploit requires privileged access to the administration console, it is not an unauthenticated remote attack but can still result in significant availability impact for the affected database cluster. EPSS data is not available and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting current exploitation is unlikely but the vulnerability remains exploitable by anyone with admin rights.

Generated by OpenCVE AI on May 9, 2026 at 03:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PgBouncer to version 1.25.2 or later.
  • Configure the admin_users setting to restrict the KILL_CLIENT command to trusted admins only.
  • Limit access to the administration console through network segmentation or firewall rules.
  • Verify that the configuration does not allow KILL_CLIENT from non‑admin users before deployment.

Generated by OpenCVE AI on May 9, 2026 at 03:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Pgbouncer
Pgbouncer pgbouncer
Vendors & Products Pgbouncer
Pgbouncer pgbouncer

Sat, 09 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.
Title PgBouncer missing authorization check in KILL_CLIENT admin command
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Pgbouncer Pgbouncer
cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2026-05-09T00:43:53.126Z

Reserved: 2026-04-20T12:25:45.561Z

Link: CVE-2026-6667

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T01:16:09.287

Modified: 2026-05-09T01:16:09.287

Link: CVE-2026-6667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:30:24Z

Weaknesses