Bug 2482763 (CVE-2026-44477) - CVE-2026-44477 github.com/cloudnative-pg/cloudnative-pg: CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
Summary: CVE-2026-44477 github.com/cloudnative-pg/cloudnative-pg: CloudNativePG: Metri...
Keywords:
Status: NEW
Alias: CVE-2026-44477
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 17:01 UTC by OSIDB Bzimport
Modified: 2026-06-03 05:04 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 17:01:32 UTC
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.


Note You need to log in before you can comment on or make changes to this bug.