PgBouncer missing authorization check in KILL_CLIENT admin command
Details
CVSS v3
4.3
NVD published
2026-05-09 01:16:09
EPSS
<0.1% probability · 2.6th percentile — 2026-05-11
Affected versions
Not available in our cache.
Summary
PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.