CVE-2025-46801 - Pgpool-II Authentication Bypass

Suggest edits

First Published: 2025/07/04

Last Updated: 2025/07/04

Important: This is an assessment of the impact of CVE-2025-46801 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Pgpool-II contains an authentication bypass vulnerability that can be exploited under certain conditions. If an attacker exploits the vulnerability they may be able to log in to the system as an arbitrary user, which could allow them to read or tamper with data in the database, and/or disable the database.

This vulnerability only affects systems that meet the conditions in any of patterns below:

Pattern 1: All of the following conditions must be met.

  • Password authentication method is configured in pool_hba.conf
  • allow_clear_text_frontend_auth = off
  • Victim user's password is not set in pool_passwd
  • scram-sha-256 or md5 authentication method is configured in pg_hba.conf

Pattern 2: All of the following conditions must be met.

  • enable_pool_hba = off
  • One of the authentication methods among password, pam, and ldap is configured in pg_hba.conf

Pattern 3: All of the following conditions must be met.

  • Pgpool-II is running in raw mode (backend_clustering_mode = 'raw')
  • md5 authentication method is configured in pool_hba.conf
  • allow_clear_text_frontend_auth = off
  • Victim user's password is stored as plaintext or AES format in pool_passwd
  • One of the authentication methods among password, pam, and ldap is configured in pg_hba.conf

Vulnerability details

CVE-ID: CVE-2025-46801

CVE Publish Date: 2025-05-19

CVSS Base Score: 9.8

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products and versions

EDB-Pgpool

  • All versions prior to 4.5.1-4

Pgpool-II

  • Version 4.6.0
  • Versions 4.5.0 to 4.5.6
  • Versions 4.4.0 to 4.4.11
  • Versions 4.3.0 to 4.3.14
  • Versions 4.2.0 to 4.2.21
  • All versions of 4.1 series
  • All versions of 4.0 series

Remediation/fixes

EDB-Pgpool

Affected VersionFixed InFix Published
Prior to 4.5.1-44.5.1-42025-07-04

Pgpool-II

Affected VersionFixed InFix Published
Prior to 4.6.14.6.12025-05-15
Prior to 4.5.74.5.72025-05-15
Prior to 4.4.124.4.122025-05-15
Prior to 4.3.154.3.152025-05-15
Prior to 4.2.224.2.222025-05-15

Versions in the 4.0 and 4.1 series are unsupported and should be upgraded to a supported version.

References

Related information

Acknowledgement

Source: PgPool Global Development Group

Could this page be better? Report a problem or suggest an addition!