CVE-2026-6667

NameCVE-2026-6667
DescriptionPgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136075

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pgbouncer (PTS)bullseye1.15.0-1vulnerable
bullseye (security)1.15.0-1+deb11u2vulnerable
bookworm1.18.0-1+deb12u1vulnerable
trixie1.24.1-1+deb13u1vulnerable
forky, sid1.25.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pgbouncersource(unstable)(unfixed)1136075

Notes

Fixed by: https://github.com/pgbouncer/pgbouncer/commit/97b5634be55d167a602b0bc0f09a8675997248a6 (pgbouncer_1_25_2)
Search for package or bug name: Reporting problems