CVE-2026-6667 Pgbouncer CVE debrief

Who should care

PgBouncer operators, database administrators, platform teams, and security teams that delegate access to the PgBouncer administration console should review this issue. It matters most in environments where multiple users or automation accounts can reach admin console functions.

Technical summary

The vulnerability is an improper authorization check (CWE-862) in PgBouncer’s handling of the KILL_CLIENT admin command. The NVD metadata states that, prior to version 1.25.2, any user with administration console access could invoke KILL_CLIENT, while the intended restriction was to users listed in admin_users. The supplied CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, indicating network-reachable impact requiring low privileges and affecting availability.

Defensive priority

Medium. Upgrade priority should be normal-to-urgent depending on how widely administration-console access is granted. If admin access is tightly restricted, this can be scheduled in a standard maintenance window; if broader operator access exists, prioritize sooner.

Recommended defensive actions

• Upgrade PgBouncer to version 1.25.2 or later.
• Restrict administration-console access so only explicitly approved users can authenticate.
• Review the admin_users configuration and remove any accounts that do not require admin command access.
• Audit service accounts, scripts, and operator workflows that can reach the PgBouncer admin console.
• Verify deployed PgBouncer versions across all environments and track remediation to completion.

Evidence notes

Source data from NVD identifies CVE-2026-6667 as an authorization issue in PgBouncer before 1.25.2. The record links to the PgBouncer 1.25.x changelog, and the description states that all users with administration-console access could run KILL_CLIENT even though only users in admin_users should have been allowed. NVD also classifies the weakness as CWE-862 and supplies the CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

Official resources