CVE-2026-6667

MEDIUM4.3EPSS 0.01%

PgBouncer missing authorization check in KILL_CLIENT admin command

發布日:2026/5/9修改日:2026/5/16

描述

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

受影響套件(2)

Bitnami/pgbouncerfrom 0, < 1.25.2
Debian/pgbouncerfrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

參考連結(3)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-6667
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-6667
WEBhttps://www.pgbouncer.org/changelog.html#pgbouncer-125x