PT-2026-39229 · Pgbouncer · Pgbouncer
Harutokimura For
·
Published
2026-05-09
·
Updated
2026-05-09
·
CVE-2026-6667
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
PgBouncer versions prior to 1.25.2
Description
An improper authorization check exists for the 'KILL CLIENT' admin command. Any user with access to the administration console can execute this command, whereas it should be restricted exclusively to users defined in the
admin users parameter.Recommendations
Update to version 1.25.2 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pgbouncer