Description
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.
Published: 2026-05-28
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CloudNativePG metrics exporter opens a PostgreSQL connection as the postgres superuser and then demotes the session using SET ROLE pg_monitor. The demotion changes only the current_user while session_user remains postgres, allowing an attacker to execute SET ROLE to regain full superuser privileges and then run COPY … TO PROGRAM to spawn an OS‑level subprocess as the postgres user. This grants database and operating‑system control and is effectively a privilege escalation to PostgreSQL superuser and OS remote code execution. The flaw involves improper authorization handling (CWE‑250, CWE‑271) and unsafe use of system commands within SQL (CWE‑426).

Affected Systems

The vulnerability affects CloudNativePG deployments running versions prior to 1.29.1 and 1.28.3. Any Kubernetes environment using the cloudnative‑pg:cloudnative‑pg platform with those legacy releases is subject to the issue. The affected component is the metrics exporter that is enabled by default in these releases.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity. No EPSS score is available, so the likelihood of exploitation remains uncertain but the lack of mitigation in builds before the fix means an attacker could exploit the path with a crafted metrics request if exposed. The vulnerability is not listed in CISA KEV, but the combination of superuser privilege and OS RCE makes it a high‑risk issue for environments that expose the metrics endpoint or allow local container access. The attack vector is likely local within the Kubernetes cluster, but if the metrics endpoint is exposed to external users, remote exploitation is possible.

Generated by OpenCVE AI on May 28, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CloudNativePG to version 1.29.1 or 1.28.3, which patches the metrics exporter authorization flaw.
  • If an upgrade cannot be performed immediately, disable or remove the metrics exporter, or restrict its network access to trusted operators so no external agent can trigger the privilege escalation.
  • Ensure that PostgreSQL connections from the metrics exporter run with a role that has no superuser or COPY TO PROGRAM permissions, and verify that the COPY command is disabled or restricted via PostgreSQL's configuration.

Generated by OpenCVE AI on May 28, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-423p-g724-fr39 CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cloudnative-pg
Cloudnative-pg cloudnative-pg
Vendors & Products Cloudnative-pg
Cloudnative-pg cloudnative-pg

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.
Title CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
Weaknesses CWE-250
CWE-271
CWE-426
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Cloudnative-pg Cloudnative-pg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:28:44.136Z

Reserved: 2026-05-06T17:18:51.782Z

Link: CVE-2026-44477

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T17:16:30.590

Modified: 2026-05-29T16:25:57.843

Link: CVE-2026-44477

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:48:20Z

Weaknesses