CVE-2026-44477
Analyzed Analyzed - Analysis Complete
Privilege Escalation via SET ROLE in CloudNativePG Metrics Exporter

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-44477
EUVD
EUVD-2026-32930
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation cloudnativepg to 1.28.3 (exc)
linuxfoundation cloudnativepg From 1.29.0 (inc) to 1.29.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CWE-271 The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44477 is a critical security vulnerability in CloudNativePG's metrics exporter. The exporter connects to PostgreSQL as the superuser via a Unix socket and then demotes the session using SET ROLE pg_monitor. However, the session_user remains as the superuser (postgres), allowing an attacker to regain superuser privileges by invoking RESET ROLE.

This privilege escalation enables the attacker to execute arbitrary operating system commands inside the primary pod by using the COPY ... TO PROGRAM feature. The vulnerability can be exploited through two main paths: one involving custom metric queries with unqualified identifiers that can be shadowed by an attacker, and another involving the default monitoring query that includes an unqualified current_database() call, which can be shadowed by any non-superuser owning a database.

The vulnerability was fixed by introducing a dedicated cnpg_metrics_exporter role with limited privileges and by schema-qualifying all unqualified catalog references in monitoring queries to prevent shadowing.

Impact Analysis

This vulnerability allows a low-privilege database user to escalate their privileges to PostgreSQL superuser and execute arbitrary operating system commands inside the primary pod hosting the database.

An attacker exploiting this vulnerability can gain full control over the database and the underlying operating system environment, potentially leading to data breaches, unauthorized data modification, or disruption of services.

All deployments with default monitoring enabled are vulnerable, as well as those using custom metric queries with unqualified catalog references, making the impact widespread unless patched or mitigated.

Detection Guidance

Detection of this vulnerability involves checking if your CloudNativePG deployment is running a vulnerable version prior to 1.28.3 or between 1.29.0 and 1.29.1, and if the metrics exporter connects as the PostgreSQL superuser via the pod-local Unix socket.

You can inspect the monitoring queries for unqualified identifiers or shadowed built-in objects that could be exploited.

Commands to help detect potential exploitation or presence of the vulnerability include:

  • Check the CloudNativePG version running in your environment to confirm if it is vulnerable.
  • Review the roles and permissions in PostgreSQL, especially if the metrics exporter is running as the postgres superuser or a role with elevated privileges.
  • Query for any shadowed objects or unqualified identifiers in custom metric queries that could be exploited.
  • Monitor for unusual COPY ... TO PROGRAM commands or subprocess executions initiated by the postgres user inside the primary pod.

Specific commands are not provided in the resources, but general PostgreSQL commands to check roles and queries include:

  • SELECT version(); -- to check PostgreSQL version
  • SELECT rolname, rolsuper FROM pg_roles WHERE rolname = 'cnpg_metrics_exporter' OR rolname = 'postgres';
  • Review monitoring queries for unqualified identifiers or suspicious SQL.
Mitigation Strategies

Immediate mitigation steps include upgrading CloudNativePG to versions 1.28.3 or 1.29.1 or later, where the vulnerability is fixed.

The fix involves introducing a dedicated cnpg_metrics_exporter role with only pg_monitor privileges, removing the need for superuser connections by the metrics exporter.

Additional mitigation measures include:

  • Schema-qualify all catalog references in custom monitoring queries to prevent shadowing attacks.
  • Restrict database ownership to trusted users to reduce the risk of planting shadow objects.
  • Limit the scope of target_databases for monitoring to minimize exposure.
  • Avoid exposing metric query SQL to untrusted users.

These steps help prevent privilege escalation and remote code execution via the metrics exporter.

Compliance Impact

This vulnerability allows privilege escalation to PostgreSQL superuser and remote code execution on the operating system, which can lead to unauthorized access and control over sensitive data managed by CloudNativePG. Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access and protection of personal and sensitive information.

Because the vulnerability enables attackers to execute arbitrary OS commands and escalate privileges from low-privilege users, it increases the risk of data exposure, modification, or loss, all of which are critical concerns under these regulations.

Mitigations and patches introduced in newer versions (1.28.3 and 1.29.1) reduce this risk by eliminating the superuser connection and restricting privileges, helping organizations maintain compliance by preventing unauthorized privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44477. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart