{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44477", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-06T17:18:51.782Z", "datePublished": "2026-05-28T15:46:12.241Z", "dateUpdated": "2026-05-28T17:28:44.136Z"}, "containers": {"cna": {"title": "CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-250", "lang": "en", "description": "CWE-250: Execution with Unnecessary Privileges", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-271", "lang": "en", "description": "CWE-271: Privilege Dropping / Lowering Errors", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-426", "lang": "en", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39"}, {"name": "https://github.com/cloudnative-pg/cloudnative-pg/pull/10576", "tags": ["x_refsource_MISC"], "url": "https://github.com/cloudnative-pg/cloudnative-pg/pull/10576"}], "affected": [{"vendor": "cloudnative-pg", "product": "cloudnative-pg", "versions": [{"version": "< 1.28.3", "status": "affected"}, {"version": ">= 1.29.0, < 1.29.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-28T15:46:12.241Z"}, "descriptions": [{"lang": "en", "value": "CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3."}], "source": {"advisory": "GHSA-423p-g724-fr39", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-28T17:28:36.663338Z", "id": "CVE-2026-44477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T17:28:44.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-28T17:28:36.663338Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T17:28:40.568Z"}}], "cna": {"title": "CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE", "source": {"advisory": "GHSA-423p-g724-fr39", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cloudnative-pg", "product": "cloudnative-pg", "versions": [{"status": "affected", "version": "< 1.28.3"}, {"status": "affected", "version": ">= 1.29.0, < 1.29.1"}]}], "references": [{"url": "https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39", "name": "https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/cloudnative-pg/cloudnative-pg/pull/10576", "name": "https://github.com/cloudnative-pg/cloudnative-pg/pull/10576", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-271", "description": "CWE-271: Privilege Dropping / Lowering Errors"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-28T15:46:12.241Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44477", "state": "PUBLISHED", "dateUpdated": "2026-05-28T17:28:44.136Z", "dateReserved": "2026-05-06T17:18:51.782Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-28T15:46:12.241Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:cloudnativepg:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "CA7ACE2F-02E6-44A2-9794-999DDF90E7F7", "versionEndExcluding": "1.28.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:cloudnativepg:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "9FEA912C-AF0C-4C91-A529-BEDFB04E8239", "versionEndExcluding": "1.29.1", "versionStartIncluding": "1.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3."}], "id": "CVE-2026-44477", "lastModified": "2026-06-03T18:56:58.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-05-28T17:16:30.590", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/cloudnative-pg/cloudnative-pg/pull/10576"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-250"}, {"lang": "en", "value": "CWE-271"}, {"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/cloudnative-pg/cloudnative-pg: CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE", "id": "2482763", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482763"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-250", "details": ["A flaw was found in CloudNativePG's metrics exporter. The issue arises because the metrics exporter connected to PostgreSQL using a highly privileged account and did not properly restrict privileges during monitoring operations. A low-privileged database user could exploit this behavior through crafted monitoring queries or PostgreSQL object resolution manipulation to regain PostgreSQL superuser privileges and potentially execute arbitrary operating system commands as the postgres user inside the affected database pod."], "mitigation": {"lang": "en:us", "value": "- Avoid using unqualified identifiers in custom monitoring queries\n- Restrict ownership of user-controlled schemas and database objects\n- Avoid unnecessary exposure of monitoring query configuration to untrusted users\n- Avoid using broad monitoring configurations such as: ``` target_databases: '*' ``` \nunless all databases and users are trusted."}, "name": "CVE-2026-44477", "package_state": [{"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/devicefinder-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-metrics-exporter-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cloudnative-pg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2026-05-28T15:46:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-44477\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44477\nhttps://github.com/cloudnative-pg/cloudnative-pg/pull/10576\nhttps://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39"], "statement": "This vulnerability affects CloudNativePG's monitoring and metrics export functionality. The attacker may exploit the affected monitoring functionality to escalate privileges within the PostgreSQL environment and potentially execute arbitrary operating system commands as the postgres user inside the affected database pod.\nRed Hat Product Security has rated this issue as an Important severity vulnerability rather than Critical.\nA successful exploitation requires access to a valid database account. A low-privileged authenticated database user (PR:L) is needed.\nAlthough exploitation may result in PostgreSQL superuser access and command execution within the affected pod, the impact remains limited to the affected PostgreSQL and container environment. It does not lead to container escape, Kubernetes cluster compromise, or host level privilege escalation. Therefore, Scope is assessed as Unchanged (S:U).\nBecause successful exploitation may allow disclosure, modification, or disruption of database contents, as well as arbitrary command execution within the affected pod, Red Hat assessed the Confidentiality, Integrity, and Availability impacts as High (C:H/I:H/A:H).", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.28.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.29.0,1.29.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "cloudnative-pg", "source": "cna", "vendor": "cloudnative-pg"}, "product": "cloudnative-pg", "vendor": "cloudnative-pg"}], "created": "2026-05-28T19:00:16.791513+00:00", "updated": "2026-05-29T15:48:20.960624+00:00", "vendors": ["cloudnative-pg", "cloudnative-pg$PRODUCT$cloudnative-pg"]}