CVE-2026-44477
Description
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cloudnative-pg/cloudnative-pgGo | < 1.28.3 | 1.28.3 |
github.com/cloudnative-pg/cloudnative-pgGo | >= 1.29.0, < 1.29.1 | 1.29.1 |
Affected products
12- Range: >= 1.29.0, < 1.29.1
- cpe:2.3:a:linuxfoundation:cloudnativepg:*:*:*:*:*:kubernetes:*:*Range: <1.28.3
- osv-coords10 versionspkg:apk/chainguard/cloudnative-pgpkg:apk/chainguard/cloudnative-pg-fipspkg:apk/chainguard/cloudnative-pg-fips-pluginspkg:apk/chainguard/cloudnative-pg-pluginspkg:apk/chainguard/plugin-barman-cloudpkg:apk/chainguard/plugin-barman-cloud-fipspkg:apk/wolfi/cloudnative-pgpkg:apk/wolfi/cloudnative-pg-pluginspkg:apk/wolfi/plugin-barman-cloudpkg:golang/github.com/cloudnative-pg/cloudnative-pg
< 1.29.1-r0+ 9 more
- (no CPE)range: < 1.29.1-r0
- (no CPE)range: < 1.29.1-r0
- (no CPE)range: < 1.29.1-r0
- (no CPE)range: < 1.29.1-r0
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r4
- (no CPE)range: < 1.29.1-r0
- (no CPE)range: < 1.29.1-r0
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 1.28.3
Patches
Vulnerability mechanics
References
6- github.com/cloudnative-pg/cloudnative-pg/pull/10576nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-423p-g724-fr39ghsaADVISORY
- github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44477ghsaADVISORY
- github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.28.3ghsaWEB
- github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.29.1ghsaWEB
News mentions
0No linked articles in our index yet.