Skip to main content

PgBouncer EUVDEUVD-2026-28879

| CVE-2026-6667 MEDIUM
Missing Authorization (CWE-862)
2026-05-09 PostgreSQL GHSA-gc77-jrv9-6fjp
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 09, 2026 - 02:16 EUVD
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVE Published
May 09, 2026 - 00:43 nvd
MEDIUM 4.3

DescriptionCVE.org

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

AnalysisAI

PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing any user with access to the administration console to terminate client connections. The vulnerability affects all PgBouncer versions before 1.25.2 and requires prior authentication to the admin console, limiting the real-world risk despite the authorization bypass. CVSS 4.3 reflects low availability impact but highlights a privilege escalation within authenticated contexts.

Technical ContextAI

PgBouncer is a connection pooling middleware for PostgreSQL that manages client-server connections through an administration console protected by separate authentication. The KILL_CLIENT command allows termination of active client connections and should be restricted to users explicitly listed in the admin_users parameter (a configuration directive that specifies which authenticated users have full administrative privileges). The vulnerability stems from CWE-862 (Missing Authorization) - the admin console implements authentication but fails to enforce role-based access control (RBAC) for specific sensitive operations. This is a post-authentication privilege escalation: an authenticated user with console access but not explicitly in admin_users can execute a command intended only for administrators, causing denial of service by killing arbitrary connections.

RemediationAI

Upgrade to PgBouncer 1.25.2 or later, which restores proper authorization checks on the KILL_CLIENT command per the vendor changelog (https://www.pgbouncer.org/changelog.html#pgbouncer-125x). The patch enforces that only users listed in the admin_users configuration parameter can execute KILL_CLIENT. If immediate upgrade is not feasible, operators should restrict admin console network access to trusted networks using firewall rules or network segmentation, limit the number of user accounts with admin console credentials, and audit admin console usage logs to detect unauthorized KILL_CLIENT attempts. Note that these workarounds do not fix the underlying authorization flaw and are temporary mitigations only.

CVE-2015-4054 HIGH POC
7.5 May 23

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by send

CVE-2021-3672 MEDIUM POC
5.6 Nov 23

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Se

CVE-2015-6817 HIGH
8.1 May 23

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user

CVE-2025-2291 HIGH
8.1 Apr 16

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,

CVE-2026-6665 HIGH
8.1 May 09

Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution

CVE-2021-3935 HIGH
8.1 Nov 22

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries

CVE-2025-12819 HIGH
7.5 Dec 03

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to

CVE-2026-6664 HIGH
7.5 May 09

Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection po

CVE-2026-6666 MEDIUM
5.9 May 09

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE fie

CVE-2012-4575 MEDIUM
5.0 Nov 18

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a d

Share

EUVD-2026-28879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy