CVE Catalog

CVE-2026-44477

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

CloudNativePG before versions 1.29.1 and 1.28.3 has a vulnerability in the metrics exporter that connects to PostgreSQL as the postgres superuser via a Unix socket, then demotes the session with SET ROLE pg_monitor. Since SET ROLE only changes current_user while session_user remains postgres, an attacker can use RESET ROLE to regain superuser privileges and execute COPY ... TO PROGRAM, spawning an OS-level subprocess as the postgres user inside the primary pod.

Risk Assessment

The risk is privilege escalation from pg_monitor to full postgres superuser, allowing arbitrary system commands in the primary database pod, potentially leading to full compromise of the PostgreSQL cluster in Kubernetes.

Recommendation

Immediately upgrade CloudNativePG to version 1.29.1 or 1.28.3, which contain the fix for this vulnerability.

Original NVD description (English source)

CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS