← voltar
CVE-2026-6667

PgBouncer missing authorization check in KILL_CLIENT admin command

CVSS 4.3 MEDIUMEPSS 0.3%CWE-862
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 4.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
09 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Produtos afetados
n/a · PgBouncer