Stack Overflow Vulnerability in PgBouncer by Pgbouncer.org
CVE-2026-6665

8.1HIGH

Key Information:

Vendor: PgBouncer.org
Status: Pgbouncer
Vendor: CVE Published:; 9 May 2026

🔔 Create PgBouncer.org Vulnerability Alert

What is CVE-2026-6665?

The PgBouncer application, used for lightweight connection pooling for PostgreSQL, contains a stack overflow vulnerability due to improper return value checks in the SCRAM code. In versions prior to 1.25.2, a malicious backend can exploit this flaw by sending an improperly constructed SCRAM server-final-message, including an excessively long nonce. This can lead to potential disruptions and unauthorized access, highlighting the necessity for immediate updates and vigilant security practices.

Affected Version(s)

PgBouncer 0 < 1.25.2

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Thanks to HarutoKimura for finding and reporting this problem.

CVE-2026-6665 Data

JSON