BIT-pgbouncer-2026-6667

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/pgbouncer/BIT-pgbouncer-2026-6667.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-pgbouncer-2026-6667

Aliases

CVE-2026-6667

Published

2026-05-12T08:52:54.700Z

Modified

2026-05-12T10:46:13.190414Z

Summary

PgBouncer missing authorization check in KILL_CLIENT admin command

Details

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILLCLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the adminusers parameter.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:pgbouncer:pgbouncer:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / pgbouncer

Package

Name: pgbouncer
Purl: pkg:bitnami/pgbouncer

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/pgbouncer/BIT-pgbouncer-2026-6667.json"