CloudNativePG 1.29.1 Patches Critical Privilege Escalation Flaw CVE-2026-44477

A serious security vulnerability in CloudNativePG allowed low-privilege database users to escalate to PostgreSQL superuser status through the metrics exporter component. The flaw, tracked as CVE-2026-44477 and designated GHSA-423p-g724-fr39, has been patched in version 1.29.1, released May 8, 2026. The vulnerability existed in how the metrics exporter authenticated to PostgreSQL databases—previously running as the `postgres` superuser, creating an escalation path that could be exploited by any database user with minimal privileges.

CloudNativePG, a widely-deployed Kubernetes operator for managing PostgreSQL clusters in cloud-native environments, exposed this risk through its monitoring infrastructure. The metrics exporter, designed to collect and expose database statistics, operated with excessive privileges. An attacker with access to even a low-privilege database account could leverage the exporter's superuser authentication to execute arbitrary commands with full PostgreSQL administrative rights. The fix introduces a dedicated `cnpg_metrics_exporter` role restricted to `pg_monitor` privileges, eliminating the superuser dependency and breaking the escalation chain.

Organizations running CloudNativePG version 1.29.0 or earlier should treat this update as a priority, particularly in multi-tenant environments or any deployment where database users have untrusted access. The vulnerability underscores a broader pattern in cloud-native infrastructure: monitoring components frequently operate with elevated permissions, creating implicit trust boundaries that attackers can exploit. While no active exploitation has been reported, the attack path requires only basic database access, making detection difficult and potential exposure significant. Infrastructure teams should audit existing role configurations and verify that metrics exporters across their PostgreSQL deployments follow the principle of least privilege.