2468433 – (CVE-2026-6667) CVE-2026-6667 PgBouncer: PgBouncer: Denial of Service via improper authorization for KILL_CLIENT command

Bug 2468433 (CVE-2026-6667) - CVE-2026-6667 PgBouncer: PgBouncer: Denial of Service via improper authorization for KILL_CLIENT command

Summary: CVE-2026-6667 PgBouncer: PgBouncer: Denial of Service via improper authorizat...

Keywords:
Status:	NEW
Alias:	CVE-2026-6667
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2477911 2477912
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-09 02:01 UTC by OSIDB Bzimport
Modified:	2026-05-15 15:53 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-09 02:01:28 UTC

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

Note You need to log in before you can comment on or make changes to this bug.