CVE-2026-6667
Received Received - Intake
PgBouncer Admin Console KILL_CLIENT Command Authorization Bypass

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: PostgreSQL

Description
PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6667
EUVD
EUVD-2026-28879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pgbouncer pgbouncer to 1.25.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in PgBouncer versions before 1.25.2 where the software did not properly check authorization for the KILL_CLIENT admin command.

As a result, any user who had access to the administration consoleβ€”an area that itself requires authorizationβ€”could execute the KILL_CLIENT command.

The intended behavior was to restrict this command only to users specified in the admin_users parameter, but this check was missing or insufficient.

Impact Analysis

The vulnerability allows any authorized user of the PgBouncer administration console to run the KILL_CLIENT command, which can terminate client connections.

This could lead to denial of service for legitimate clients by unexpectedly disconnecting them.

The CVSS score indicates a low to medium severity impact, primarily affecting availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade PgBouncer to version 1.25.2 or later where the authorization check for the KILL_CLIENT admin command is properly enforced.

Additionally, ensure that only trusted users have access to the administration console and that the admin_users parameter is correctly configured to restrict who can run administrative commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart