CloudNativePG metrics exporter 1.28.x/1.29.0 superuser privilege escalation
CVE-2026-44477 Published on May 28, 2026
CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.
Vulnerability Analysis
CVE-2026-44477 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Execution with Unnecessary Privileges
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Privilege Dropping / Lowering Errors
The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.
What is an Untrusted Path Vulnerability?
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.
CVE-2026-44477 has been classified to as an Untrusted Path vulnerability or weakness.
Products Associated with CVE-2026-44477
Want to know whenever a new CVE is published for Red Hat Openshift Data Foundation? stack.watch will email you.
Affected Versions
cloudnative-pg:- Version < 1.28.3 is affected.
- Version >= 1.29.0, < 1.29.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.