← Back

CVE-2026-6667

nvd nist
Published: May 9, 2026Modified: May 14, 2026

JSON object

Loading...
4.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Exploitability: 2.8 / Impact: 1.4
Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 (Secondary)

Description

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

Affected (1)

Products: Pgbouncer: Pgbouncer
Pgbouncer
1 product
Pgbouncer
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Pgbouncer
Before 1.25.2

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (1)

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
Release Notes

Timeline

No history available yet.