Authorization Flaw in PgBouncer Admin Command by PgBouncer
CVE-2026-6667

4.3MEDIUM

Key Information:

Vendor: PgBouncer
Status: Pgbouncer
Vendor: CVE Published:; 9 May 2026

What is CVE-2026-6667?

PgBouncer versions prior to 1.25.2 contain an authorization flaw that allows all users with access to the administration console to execute the KILL_CLIENT command. This command should only be executable by users specified in the admin_users parameter, creating a risk of unauthorized intervention in client connections.

Affected Version(s)

PgBouncer 0 < 1.25.2

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125x

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Thanks to HarutoKimura for finding and reporting this problem.

CVE-2026-6667 Data

JSON