CloudNativePG metrics exporter 1.28.x/1.29.0 superuser privilege escalation
CVE-2026-44477 Published on May 28, 2026

CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.

NVD

Vulnerability Analysis

CVE-2026-44477 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

Execution with Unnecessary Privileges

The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Privilege Dropping / Lowering Errors

The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. In some contexts, a system executing with elevated permissions will hand off a process/file/etc. to another process or user. If the privileges of an entity are not reduced, then elevated privileges are spread throughout a system and possibly to an attacker.

What is an Untrusted Path Vulnerability?

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

CVE-2026-44477 has been classified to as an Untrusted Path vulnerability or weakness.


Products Associated with CVE-2026-44477

Want to know whenever a new CVE is published for Red Hat Openshift Data Foundation? stack.watch will email you.

 

Affected Versions

cloudnative-pg: Red Hat Openshift Data Foundation 4:

Exploit Probability

EPSS
0.40%
Percentile
31.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.