pgbouncer CVE Vulnerabilities & Metrics

Focus on pgbouncer vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About pgbouncer Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with pgbouncer. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total pgbouncer CVEs: 6
Earliest CVE date: 23 May 2017, 04:29 UTC
Latest CVE date: 03 Dec 2025, 19:15 UTC

Latest CVE reference: CVE-2025-12819

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical pgbouncer CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.95

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	4
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS pgbouncer CVEs

These are the five CVEs with the highest CVSS scores for pgbouncer, sorted by severity first and recency.

CVE-2021-3672 pgbouncer Published on 23 Nov 2021, 19:15 UTC (CVSS: 6.8)
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
CVE-2015-6817 pgbouncer Published on 23 May 2017, 04:29 UTC (CVSS: 6.8)
PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.
CVE-2021-3935 pgbouncer Published on 22 Nov 2021, 16:15 UTC (CVSS: 5.1)
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
CVE-2015-4054 pgbouncer Published on 23 May 2017, 04:29 UTC (CVSS: 5.0)
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet.
CVE-2025-12819 pgbouncer Published on 03 Dec 2025, 19:15 UTC (CVSS: 0)
Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

All CVEs for pgbouncer

CVE-2025-12819 pgbouncer vulnerability CVSS: 0 03 Dec 2025, 19:15 UTC

Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage.

CVE-2025-2291 pgbouncer vulnerability CVSS: 0 16 Apr 2025, 18:16 UTC

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

CVE-2021-3672 pgbouncer vulnerability CVSS: 6.8 23 Nov 2021, 19:15 UTC

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

CVE-2021-3935 pgbouncer vulnerability CVSS: 5.1 22 Nov 2021, 16:15 UTC

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.

CVE-2015-6817 pgbouncer vulnerability CVSS: 6.8 23 May 2017, 04:29 UTC

PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username.

CVE-2015-4054 pgbouncer vulnerability CVSS: 5.0 23 May 2017, 04:29 UTC

PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet.