## CVE-2026-6665: High-Severity Vulnerability in PgBouncer Allows Malicious Backend Attack via SCRAM Authentication
A high-severity vulnerability tracked as CVE-2026-6665 has been disclosed in PgBouncer, the widely-used PostgreSQL connection pooler, exposing deployments running versions prior to 1.25.2 to potential exploitation. The flaw carries a CVSS score of 8.1 and resides in the SCRAM authentication implementation, where the code fails to properly validate the return value of strlcat() when constructing the SCRAM client-final-message.

The vulnerability creates a dangerous attack surface: a malicious backend server can transmit a SCRAM server-final-message containing an oversized nonce value, triggering the vulnerable code path. PgBouncer acts as a middleware between applications and PostgreSQL databases, meaning compromised instances could enable attackers to intercept, disrupt, or manipulate database connections across dependent infrastructure. The issue affects all PgBouncer deployments using SCRAM authentication that have not yet upgraded to version 1.25.2 or later.

Security teams managing PostgreSQL environments should treat this disclosure as a priority patching event. PgBouncer's role in high-traffic database architectures amplifies the potential blast radius of exploitation, particularly in environments where backend servers may not be fully trusted or where multi-tenant database access is in play. The vulnerability underscores the persistent risks in authentication protocol implementations, even in mature infrastructure tooling. Organizations running affected versions should immediately upgrade to PgBouncer 1.25.2 and audit their SCRAM authentication configurations for signs of anomalous backend behavior.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: CVE-2026-6665, PgBouncer, SCRAM, PostgreSQL, vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-09 07:31:51
- **ID**: 81043
- **URL**: https://whisperx.ai/en/intel/81043