Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.
What is Pgpool-II?
Pgpool-II is a tool to add useful features to PostgreSQL, including:
- connection pooling
- load balancing
- automatic failover and more.
Minor releases
Pgpool Global Development Group is pleased to announce the availability of following versions of Pgpool-II:
- 4.6.1
- 4.5.7
- 4.4.12
- 4.3.15
- 4.2.22
This release contains a security fix.
An authentication bypass vulnerability exists in the client authentication mechanism of Pgpool-II. In Pgpool-II, authentication may be bypassed even when it is supposed to be enforced. As a result, an attacker could log in as any user, potentially leading to information disclosure, data tampering, or even a complete shutdown of the database. (CVE-2025-46801)
This vulnerability affects systems where the authentication configuration matches one of the following patterns:
Pattern 1: This vulnerability occurs when all of the following conditions are met:
- The password authentication method is used in pool_hba.conf
- allow_clear_text_frontend_auth = off
- The user's password is not set in pool_passwd
- The scram-sha-256 or md5 authentication method is used in pg_hba.conf
Pattern 2: This vulnerability occurs when all of the following conditions are met:
- enable_pool_hba = off
- One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap
Pattern 3: This vulnerability occurs when all of the following conditions are met:
- Raw mode is used (backend_clustering_mode = 'raw')
- The md5 authentication method is used in pool_hba.conf
- allow_clear_text_frontend_auth = off
- The user's password is registered in pool_passwd in plain text or AES format
- One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap
All versions of Pgpool-II 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 are affected by this vulnerability. It is strongly recommended to upgrade to Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 or later. Alternatively, you can modify your settings so that they do not match any of the vulnerable configuration patterns.
Please take a look at release notes.
You can download the source code and RPMs.
Pgpool-II, a tool for PostgreSQL, has been released with the following minor versions: 4.6.1, 4.5.7, 4.4.12, 4.3.15, and 4.2.22. These versions contain a security fix for an authentication bypass vulnerability in the client authentication mechanism. This vulnerability enables an attacker to gain unauthorized access as any user, which may result in information disclosure, data manipulation, or disruption of database services. The vulnerability impacts systems that have an authentication configuration aligning with one of three specific patterns: password, pam, or ldap. All versions of Pgpool-II from the 4.0 and 4.1 series, as well as versions 4.2.0 through 4.2.21, 4.3.0 through 4.3.14, 4.4.0 through 4.4.11, 4.5.0 through 4.5.6, and 4.6.0 are impacted.
