CVE-2026-6667 Overview
CVE-2026-6667 is a missing authorization vulnerability in PgBouncer, the lightweight connection pooler for PostgreSQL. Versions prior to 1.25.2 fail to enforce proper authorization checks on the KILL_CLIENT administrative command. Any user with access to the administration console can execute this command, even when they are not listed in the admin_users parameter. The flaw maps to [CWE-862: Missing Authorization] and affects the integrity of the privilege boundary between regular console users and dedicated administrators.
Critical Impact
Authenticated console users outside the admin_users list can forcibly terminate client connections, causing availability disruption to applications relying on PgBouncer-managed PostgreSQL pools.
Affected Products
- PgBouncer versions prior to 1.25.2
- Deployments exposing the PgBouncer administration console to non-admin authenticated users
- PostgreSQL environments using PgBouncer for connection pooling
Discovery Timeline
- 2026-05-09 - CVE-2026-6667 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6667
Vulnerability Analysis
PgBouncer exposes an administrative console accessible through the standard PostgreSQL protocol. The console supports privileged commands intended only for users defined in the admin_users configuration parameter. The KILL_CLIENT command terminates an active client connection managed by the pooler.
In versions before 1.25.2, the command handler omits the authorization check that restricts execution to administrators. Any authenticated console user, including those granted only read-level statistics access through the stats_users parameter, can invoke KILL_CLIENT. This results in a broken access control condition where the console's authentication step is treated as sufficient, without enforcing the secondary role-based authorization required for destructive commands.
Root Cause
The root cause is missing role validation in the dispatch path for KILL_CLIENT. Other destructive admin commands in PgBouncer are gated by an admin_users membership check before execution. The KILL_CLIENT handler lacked the equivalent gate, so the command fell through to execution after only the console authentication completed.
Attack Vector
An attacker requires network reachability to the PgBouncer admin interface and valid credentials for a non-admin console role. After connecting to the pgbouncer virtual database, the attacker issues the KILL_CLIENT command against a target client identifier. The pooler terminates the targeted client session, breaking the application's database connection. Repeated invocations can disrupt service for any pooled client. The vulnerability does not expose data confidentiality or allow integrity tampering, but it provides a low-effort availability attack against pooled workloads.
Detection Methods for CVE-2026-6667
Indicators of Compromise
- Execution of the KILL_CLIENT command in PgBouncer logs by accounts not listed in admin_users
- Unexpected client disconnection events correlated with admin console sessions from stats_users or other non-admin roles
- Repeated authentication to the pgbouncer admin database from application or monitoring accounts
Detection Strategies
- Enable verbose logging in PgBouncer and parse the admin command log entries for KILL_CLIENT invocations
- Correlate the executing user identity against the configured admin_users list to flag unauthorized usage
- Alert on connection terminations originating from administrative commands rather than client or server timeouts
Monitoring Recommendations
- Forward PgBouncer logs to a centralized analytics platform and build queries for KILL_CLIENT, KILL, and SHUTDOWN command usage
- Track session counts and unexpected drop spikes on PostgreSQL backends behind PgBouncer
- Audit the stats_users and admin_users configuration values during regular configuration reviews
How to Mitigate CVE-2026-6667
Immediate Actions Required
- Upgrade PgBouncer to version 1.25.2 or later on all hosts running the connection pooler
- Restrict network access to the PgBouncer admin port to operator workstations and management hosts only
- Review stats_users and any non-admin console accounts to ensure they belong to trusted operators
- Rotate credentials for any console users whose access is no longer required
Patch Information
The fix is included in PgBouncer 1.25.2, which adds the missing authorization check so that only members of admin_users can execute KILL_CLIENT. Details are documented in the PgBouncer Changelog Entry.
Workarounds
- Remove non-essential users from the stats_users list until the upgrade is applied
- Bind the PgBouncer admin listener to localhost or a management VLAN via listen_addr
- Enforce host-based firewall rules limiting access to the PgBouncer admin port
- Audit existing console roles and disable any shared monitoring accounts that could be abused
# Configuration example: restrict admin console exposure in pgbouncer.ini
listen_addr = 127.0.0.1
admin_users = pgb_admin
stats_users = pgb_monitor
auth_type = scram-sha-256
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
