{"id":"CVE-2026-44477","summary":"CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE","details":"CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.","aliases":["GHSA-423p-g724-fr39","GO-2026-5106"],"modified":"2026-07-08T08:15:34.024775526Z","published":"2026-05-28T15:46:12.241Z","related":["CGA-9x7q-44f8-4rqf"],"database_specific":{"cwe_ids":["CWE-250","CWE-271","CWE-426"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44477.json"},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44477.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-44477"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44477.json"},{"type":"ADVISORY","url":"https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44477"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482763"},{"type":"FIX","url":"https://github.com/cloudnative-pg/cloudnative-pg/pull/10576"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudnative-pg/cloudnative-pg","events":[{"introduced":"0"},{"fixed":"d0ce8ac4a6e58154520e8614025bfb1f2aa216f1"},{"introduced":"23eae00cd7aad82978397798dd27b600eb25ae3d"},{"fixed":"a4060c152630c9e8958e17d3d23f26b4eb30b69f"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:linuxfoundation:cloudnativepg:*:*:*:*:*:kubernetes:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1.28.3"},{"introduced":"1.29.0"},{"fixed":"1.29.1"}]}}],"versions":["v1.28.2","v1.29.0","v1.28.1","v1.28.0","v1.28.0-rc2","v1.28.0-rc1","v1.27.0","v1.27.0-rc1","v1.26.0","v1.26.0-rc3","v1.26.0-rc2","v1.26.0-rc1","v1.25.0","v1.25.0-rc1","v1.24.0","v1.24.0-rc1","v1.23.0","v1.21.0","v1.20.0","v1.19.0","v1.18.0","v1.17.0","v1.15.1","v1.15.0","v1.14.0","v1.13.0","v1.12.0","v1.11.0","v1.10.0","v1.9.2","v1.9.1","v1.9.0","v1.8.0","v1.7.1","v1.7.0","v1.6.0","v1.5.1","v1.5.0","v1.4.0","v1.3.0","v1.2.1","v1.2.0","v1.1.0","v1.0.0","v0.8.0","v0.7.0","v0.6.0","v0.5.0","v0.4.0","v0.3.0","v0.2.0","v0.1.0","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44477.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}