Skip to main content

Pgbouncer

11 CVEs product

Monthly

CVE-2026-6667 MEDIUM PATCH This Month

PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing any user with access to the administration console to terminate client connections. The vulnerability affects all PgBouncer versions before 1.25.2 and requires prior authentication to the admin console, limiting the real-world risk despite the authorization bypass. CVSS 4.3 reflects low availability impact but highlights a privilege escalation within authenticated contexts.

Authentication Bypass Pgbouncer
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6666 MEDIUM PATCH This Month

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE field, enabling denial of service against connection pooling infrastructure. The vulnerability requires an attacker to control or compromise a PostgreSQL backend server or intercept server responses on the network, making exploitation conditional on non-default network topology or server compromise. CVSS score of 5.9 reflects high availability impact but limited attack surface due to medium complexity (AC:H).

Denial Of Service Null Pointer Dereference Pgbouncer
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-6665 HIGH PATCH This Week

Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution via SCRAM authentication nonce manipulation. The flaw stems from incorrect strlcat() return value checking during SCRAM client-final-message construction. Remote unauthenticated exploitation is possible (CVSS 8.1, AV:N/PR:N) but requires high attack complexity - specifically, the attacker must control or compromise the backend PostgreSQL server PgBouncer connects to. No public exploit identified at time of analysis; EPSS and KEV data not available in this assessment.

Stack Overflow Buffer Overflow Pgbouncer
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-6664 HIGH PATCH This Week

Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection pooler by sending a malformed SCRAM authentication packet that triggers an integer overflow in network packet parsing code. The vulnerability bypasses boundary checks in authentication handling, enabling complete service disruption of database connection pooling. EPSS data not available, no confirmed active exploitation (not in CISA KEV), but the unauthenticated remote attack vector (CVSS AV:N/AC:L/PR:N) presents significant risk for internet-exposed PostgreSQL infrastructure.

Integer Overflow Denial Of Service Pgbouncer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-12819 HIGH PATCH This Week

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Information Disclosure Ubuntu Debian Pgbouncer
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-2291 HIGH This Week

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Pgbouncer Debian Linux
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2021-3672 MEDIUM POC PATCH This Month

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XSS C Ares Fedora Enterprise Linux Enterprise Linux Computer Node +13
NVD
CVSS 3.1
5.6
EPSS
2.6%
CVE-2021-3935 HIGH This Week

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SQLi Pgbouncer Enterprise Linux Fedora Debian Linux
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2015-6817 HIGH PATCH This Week

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Pgbouncer
NVD GitHub
CVSS 3.0
8.1
EPSS
1.4%
CVE-2015-4054 HIGH POC PATCH This Week

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Pgbouncer
NVD GitHub
CVSS 3.0
7.5
EPSS
3.4%
CVE-2012-4575 MEDIUM This Month

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service PostgreSQL Pgbouncer
NVD
CVSS 2.0
5.0
EPSS
1.5%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

PgBouncer before version 1.25.2 fails to properly restrict the KILL_CLIENT admin command to authorized users, allowing any user with access to the administration console to terminate client connections. The vulnerability affects all PgBouncer versions before 1.25.2 and requires prior authentication to the admin console, limiting the real-world risk despite the authorization bypass. CVSS 4.3 reflects low availability impact but highlights a privilege escalation within authenticated contexts.

Authentication Bypass Pgbouncer
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

PgBouncer before version 1.25.2 crashes when a backend PostgreSQL server sends an error response lacking an SQLSTATE field, enabling denial of service against connection pooling infrastructure. The vulnerability requires an attacker to control or compromise a PostgreSQL backend server or intercept server responses on the network, making exploitation conditional on non-default network topology or server compromise. CVSS score of 5.9 reflects high availability impact but limited attack surface due to medium complexity (AC:H).

Denial Of Service Null Pointer Dereference Pgbouncer
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Stack overflow in PgBouncer before 1.25.2 enables malicious PostgreSQL backend servers to trigger remote code execution via SCRAM authentication nonce manipulation. The flaw stems from incorrect strlcat() return value checking during SCRAM client-final-message construction. Remote unauthenticated exploitation is possible (CVSS 8.1, AV:N/PR:N) but requires high attack complexity - specifically, the attacker must control or compromise the backend PostgreSQL server PgBouncer connects to. No public exploit identified at time of analysis; EPSS and KEV data not available in this assessment.

Stack Overflow Buffer Overflow Pgbouncer
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in PgBouncer versions before 1.25.2 allows unauthenticated attackers to crash the connection pooler by sending a malformed SCRAM authentication packet that triggers an integer overflow in network packet parsing code. The vulnerability bypasses boundary checks in authentication handling, enabling complete service disruption of database connection pooling. EPSS data not available, no confirmed active exploitation (not in CISA KEV), but the unauthenticated remote attack vector (CVSS AV:N/AC:L/PR:N) presents significant risk for internet-exposed PostgreSQL infrastructure.

Integer Overflow Denial Of Service Pgbouncer
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

Information Disclosure Ubuntu Debian +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Pgbouncer +1
NVD
EPSS 3% CVSS 5.6
MEDIUM POC PATCH This Month

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

XSS C Ares Fedora +15
NVD
EPSS 1% CVSS 8.1
HIGH This Week

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SQLi Pgbouncer Enterprise Linux +2
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Pgbouncer
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Pgbouncer
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM This Month

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service PostgreSQL +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy