Primary

Context

PgBouncer Authorization Bypass Vulnerability in KILL_CLIENT Command

Vulnerability

Patched

An authorization bypass vulnerability has been identified in PgBouncer versions prior to 1.25.2, allowing all users with access to the administration console to execute the KILL_CLIENT command. This command, which terminates client connections, should only be available to users specified in the admin_users parameter. The vulnerability arises from the application's failure to properly restrict access to the command based on user privileges.

Impact

Exploitation of this vulnerability allows unauthorized users to terminate client connections, potentially disrupting active database operations or user activities.

Remediation

Users can upgrade to PgBouncer version 1.25.2 or later, where this vulnerability has been fixed.

Added: May 9, 2026, 1:18 AM

Updated: May 9, 2026, 1:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.3

exploitability

6.3

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.3

exploitability

6.3

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PgBouncer Authorization Bypass Vulnerability in KILL_CLIENT Command

Vulnerability

Impact

Remediation

Affected Products

PgBouncer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating