Skip to main content

CloudNativePG EUVDEUVD-2026-32930

| CVE-2026-44477 CRITICAL
Execution with Unnecessary Privileges (CWE-250)
2026-05-11 https://github.com/cloudnative-pg/cloudnative-pg GHSA-423p-g724-fr39
9.4
CVSS 4.0 · Vendor: https://github.com/cloudnative-pg/cloudnative-pg
Share

Severity by source

Vendor (https://github.com/cloudnative-pg/cloudnative-pg) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/cloudnative-pg/cloudnative-pg).

CVSS VectorVendor: https://github.com/cloudnative-pg/cloudnative-pg

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 28, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 17:22 NVD
9.4 (CRITICAL)
Source Code Evidence Fetched
May 11, 2026 - 16:17 vuln.today
Analysis Generated
May 11, 2026 - 16:17 vuln.today
CVE Published
May 11, 2026 - 15:59 nvd
CRITICAL

DescriptionCVE.org

Impact

The CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. That residual superuser identity is the foothold for the rest of the chain.

Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes.

Two exploitation paths follow from this root cause.

Path 1: custom metric queries with unqualified identifiers (all supported releases)

A database user who owns a schema on the search_path of any scraped database can plant a shadow object whose name matches an unqualified identifier in a custom metric query. When the exporter next evaluates that query, the shadow expression executes inside the session_user = postgres scrape session, giving the attacker PostgreSQL superuser privileges and OS command execution inside the primary pod within one scrape interval (≤30 s). Exploitability requires a custom metric query that contains an unqualified relation or function reference.

Although search_path shadowing of unqualified identifiers is the most direct case, the underlying bug is that any expression evaluated inside the scrape session is a superuser code path. Other exploitable shapes include user-defined functions, operators or casts resolved during the scrape, joins or subqueries against user-owned tables and views, and index expressions or RLS policies on read-touched objects.

Path 2: stock default-monitoring.yaml (all supported releases, no custom metrics required)

The pg_extensions metric shipped in default-monitoring.yaml used an unqualified current_database() call and ran against every user database (target_databases: '*'). Any non-superuser who owns a user database (including the default app role created by bootstrap.initdb) could shadow current_database() and trigger the full escalation chain against a stock CNPG deployment on the first scrape after the shadow was planted.

Combined impact

The chain yields privilege escalation from a low-privileged database role (e.g. the default app role) to PostgreSQL superuser, plus arbitrary OS command execution as the postgres user inside the primary pod, all within one scrape interval. A web application SQL injection vulnerability in an app backed by a CNPG cluster is therefore sufficient to pivot to database-pod RCE.

Who is impacted
  • All deployments on any supported release with default monitoring enabled are affected by Path 2.
  • All deployments on any supported release that use custom metric queries containing unqualified catalog references are affected by Path 1.
  • Multi-tenant platforms that allow customers to supply or influence custom metric query bodies are at the highest risk for Path 1.

Patches

Three separate patches address the vulnerability.

Patch 1: PR #10576 "schema-qualify catalog references in default monitoring queries and documentation samples"

Schema-qualifies all unqualified pg_catalog function and view references in the shipped default-monitoring.yaml and in documentation examples. This closes Path 2 in operator-shipped configuration and removes the unqualified-identifier attack surface from all operator-shipped metric queries. Operators who clone or copy default-monitoring.yaml into custom monitoring ConfigMaps, or have copy-pasted unqualified queries elsewhere, must re-qualify those queries themselves.

Backported to all currently supported releases:

  • v1.29.x (x ≥ 1)
  • v1.28.x (x ≥ 3)
Patch 2: "dedicated cnpg_metrics_exporter role with pg_ident.conf peer mapping"

Introduces a dedicated cnpg_metrics_exporter PostgreSQL role (granted pg_monitor, no superuser privileges) and maps it in pg_ident.conf via peer authentication on the local Unix socket, following the same pattern already used for cnpg_pooler_pgbouncer. The metrics exporter connects as this role instead of postgres, so session_user is never a superuser and RESET ROLE has no escalation effect. This eliminates the root cause entirely.

Demoting the session at the SQL level (via SET SESSION AUTHORIZATION pg_monitor) is not sufficient: the privilege check for SET SESSION AUTHORIZATION is whether the *authenticated* user is a superuser, not the current session_user. With the connection still authenticated as postgres, any SQL in the session can run RESET SESSION AUTHORIZATION and recover the original superuser identity. This is the same recovery primitive as RESET ROLE, one layer up. Only changing the authenticated user closes the loop.

With this change in place, the original chain breaks at every step: RESET ROLE and RESET SESSION AUTHORIZATION cannot recover superuser, and COPY ... TO PROGRAM requires a privilege pg_monitor does not grant. As defense in depth, the monitoring transaction also prepends pg_catalog to the connection's search_path, so unqualified catalog identifiers cannot resolve to user-planted shadow objects.

This patch changes the connection identity but not how queries are evaluated. Custom metric queries within pg_monitor's scope (catalog reads, pg_stat_* views, settings) continue to work without modification. Queries that previously relied on superuser-level access (reading user-owned tables not granted to cnpg_metrics_exporter, or superuser-only catalogs such as pg_authid or pg_subscription) will fail and need explicit GRANT statements to cnpg_metrics_exporter.

The role is created and maintained with PASSWORD NULL; any password set out-of-band is cleared on the next reconcile, so the role cannot be authenticated by password regardless of operator pre-creation.

For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnpg_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades or the role is created manually (see the monitoring documentation).

The patch will be backported to all currently supported releases:

  • v1.29.x (x ≥ 1)
  • v1.28.x (x ≥ 3)

Workarounds

If upgrading immediately is not possible:

  1. Schema-qualify all identifiers in custom metric queries. Use explicit pg_catalog. prefixes for all catalog functions and views (e.g. pg_catalog.current_database(), pg_catalog.now()). This is a partial mitigation: it closes the search_path-shadowing shape in operator- and user-supplied metric bodies, but other expression shapes (user-defined functions, operators or casts; joins or subqueries on user-owned tables and views; RLS policies on read-touched objects) remain superuser code paths until Patch 2 lands.
  2. Restrict database ownership. Ensure only fully trusted roles own user databases in scraped clusters. The exploit requires the ability to plant an object on the metrics exporter's search_path in a scraped database, typically by owning the database (and therefore public via pg_database_owner) or by holding CREATE on a schema already reachable through search_path.

*PG <15 caveat:* public grants CREATE to PUBLIC by default before PostgreSQL 15, so any authenticated role in a scraped database can plant a shadow object regardless of ownership.

  1. Limit the scope of target_databases: '*' queries. Avoid target_databases: '*' unless every database in the cluster, and every role that owns one, is fully trusted. Where possible, restrict target_databases to specific, known-safe databases.
  2. Do not expose metric query SQL to untrusted users. Multi-tenant platforms that allow customers to supply or influence custom metric query bodies should treat this as a critical trust boundary until the architectural fix is released.

References

  • Fix (Patch 1): PR #10576 "schema-qualify catalog references in default monitoring queries and documentation samples"
  • Fix (Patch 2): "dedicated cnpg_metrics_exporter role with pg_ident.conf peer mapping"
  • Reported by: Mehmet Ince

AnalysisAI

Privilege escalation and OS command execution in CloudNativePG (CNPG) versions prior to 1.28.3 and 1.29.1 allow low-privileged PostgreSQL roles to gain superuser access and execute arbitrary commands inside the primary database pod. The metrics exporter connects as the postgres superuser and only demotes via SET ROLE, leaving session_user as superuser; an attacker who owns a database (including the default app role) can shadow unqualified identifiers like current_database() referenced in the stock default-monitoring.yaml, triggering the chain on the next scrape (≤30s). No public exploit identified at time of analysis, but the vulnerability is highly impactful (CVSS 9.4) and affects default deployments without custom metrics.

Technical ContextAI

CloudNativePG is a Kubernetes operator (pkg:go/github.com_cloudnative-pg_cloudnative-pg) that manages PostgreSQL clusters. The root cause maps to CWE-250 (Execution with Unnecessary Privileges): the metrics exporter authenticates over the pod-local Unix socket as the postgres superuser and uses SET ROLE pg_monitor to drop privileges, but SET ROLE only mutates current_user while session_user retains the superuser identity. Because RESET ROLE (and RESET SESSION AUTHORIZATION) restore the authenticated identity, any SQL evaluated inside a scrape session is a superuser code path. PostgreSQL's search_path resolution allows user-owned schemas (or public pre-PG 15, where CREATE is granted to PUBLIC by default) to shadow unqualified catalog references such as current_database(). Once superuser is recovered, COPY ... TO PROGRAM spawns OS subprocesses as the postgres UID inside the primary pod, even within a READ ONLY transaction (READ ONLY gates database writes, not external process execution).

RemediationAI

Vendor-released patch: upgrade to CloudNativePG v1.28.3 or v1.29.1 (https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.28.3 and https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.29.1), which include Patch 1 (PR #10576, schema-qualifying all catalog references in default-monitoring.yaml and documentation) and the upcoming Patch 2 introducing a dedicated non-superuser cnpg_metrics_exporter role with pg_ident.conf peer mapping that eliminates the root cause. For replica clusters, upgrade the source primary before the replica or the replica will scrape against a missing role. If immediate upgrade is impossible, schema-qualify every identifier in custom metric queries with explicit pg_catalog. prefixes (partial mitigation - closes only the search_path shadowing shape, not UDFs, operators, casts, or RLS expressions); restrict database ownership in scraped clusters to fully trusted roles (note PG <15 grants CREATE on public to PUBLIC by default, weakening this control); avoid target_databases: '*' unless every database and owning role is trusted, restricting to specific known-safe databases instead; and on multi-tenant platforms, treat the ability to influence metric query bodies as a critical trust boundary and revoke that capability from untrusted users. Operators who copied default-monitoring.yaml into custom ConfigMaps must re-qualify those copies manually - the upgrade does not rewrite user-managed manifests.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Vendor StatusVendor

Share

EUVD-2026-32930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy