CVE-2026-6667 — MEDIUM (4.3)

Q: How severe is CVE-2026-6667?

CVE-2026-6667 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-6667?

Check the references section above for vendor advisories and patch information. Affected products include: Pgbouncer Pgbouncer.

Vulnerability Description

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Pgbouncer	Pgbouncer	< 1.25.2

Related Weaknesses (CWE)

CWE-862

References

https://www.pgbouncer.org/changelog.html#pgbouncer-125xRelease Notes

FAQ

What is CVE-2026-6667?

CVE-2026-6667 is a vulnerability with a CVSS score of 4.3 (MEDIUM). PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) ...

How severe is CVE-2026-6667?

CVE-2026-6667 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-6667?

Check the references section above for vendor advisories and patch information. Affected products include: Pgbouncer Pgbouncer.