CVE-2026-44477

Summary

CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY … TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.

Affected Software

VendorProductVersion RangeStatus
cloudnative-pgcloudnative-pg< 1.28.3affected
cloudnative-pgcloudnative-pg>= 1.29.0, < 1.29.1affected

Weaknesses

  • CWE-250: CWE-250: Execution with Unnecessary Privileges
  • CWE-271: CWE-271: Privilege Dropping / Lowering Errors
  • CWE-426: CWE-426: Untrusted Search Path

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

github.com/cloudnative-pg/cloudnative-pg: CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE

Additional References

References