CVE-2026-6667
PgBouncer Admin Console KILL_CLIENT Command Authorization Bypass
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: PostgreSQL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pgbouncer | pgbouncer | to 1.25.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PgBouncer versions before 1.25.2 where the software did not properly check authorization for the KILL_CLIENT admin command.
As a result, any user who had access to the administration consoleβan area that itself requires authorizationβcould execute the KILL_CLIENT command.
The intended behavior was to restrict this command only to users specified in the admin_users parameter, but this check was missing or insufficient.
How can this vulnerability impact me? :
The vulnerability allows any authorized user of the PgBouncer administration console to run the KILL_CLIENT command, which can terminate client connections.
This could lead to denial of service for legitimate clients by unexpectedly disconnecting them.
The CVSS score indicates a low to medium severity impact, primarily affecting availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade PgBouncer to version 1.25.2 or later where the authorization check for the KILL_CLIENT admin command is properly enforced.
Additionally, ensure that only trusted users have access to the administration console and that the admin_users parameter is correctly configured to restrict who can run administrative commands.