EDB CloudNativePG Cluster 1.25.8 release notes v1.29.1

Suggest edits

Released: 8 May 2026

This release of EDB CloudNativePG Cluster is part of the LTS series for 1.25.x. EDB will continue providing LTS releases in the 1.25.x series according to our Long-Term Support policy.

EDB CloudNativePG Cluster 1.25 reaches End-of-Life in June 2026.

Users are encouraged to start planning their upgrade to a newer minor version before that date.

This release of EDB CloudNativePG Cluster includes the following:

Highlights

CVE-2026-44477 / GHSA-423p-g724-fr39: metrics exporter privilege escalation. The metrics exporter no longer authenticates as the postgres superuser. It now uses a dedicated cnp_metrics_exporter role with pg_monitor privileges only, closing a chain that let a low-privilege database user gain PostgreSQL superuser. (GHSA-423p-g724-fr39)

Upgrade impact: custom monitoring queries that read user-owned tables, or use target_databases: '*' against databases where PUBLIC CONNECT has been revoked, need explicit GRANT statements to cnp_metrics_exporter. See "Custom query privileges and safety" and "Manually creating the metrics exporter role" in the monitoring documentation.

For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnp_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades. The manual-recovery section linked above also covers replica clusters.

Security Fixes

DescriptionAddresses
Schema-qualified catalog references in default monitoring queries

Hardened the shipped monitoring configuration and documentation samples by qualifying every pg_catalog object explicitly. Unqualified references resolve through search_path, which a database user can manipulate to shadow built-in objects.

#10576
Discoverable SBOM and provenance attestations

SBOM and SLSA provenance attached to operator container images now follow the OCI 1.1 Referrers spec, so standard registry tooling and supply-chain scanners can discover them automatically.

#10601
CVE remediation in github.com/jackc/pgx/v5

Bumped to v5.9.2 to pick up upstream fixes for CVE-2026-33816(memory-safety in pgproto3) and GHSA-j88v-2chj-qfwx (SQL injection via simple-protocol dollar-quoted string handling).

#10435, #10497
CVE remediation in the Go runtime

Built with Go 1.26.3 to pick up upstream fixes in crypto/x509,crypto/tls, net/http, and net (CVE-2026-32280, CVE-2026-32281, CVE-2026-33810, CVE-2026-33814, CVE-2026-33811, CVE-2026-39825).

#10461, #10647
Build pipeline hardening

The Go 1.26.3 bump also addresses CVE-2026-42501 (cmd/go module-checksum validation), reducing supply-chain exposure during release builds. The affected code paths are not reachable from the running operator.

#10647

Changes

DescriptionAddresses
Switched TLS peer verification from VerifyPeerCertificate toVerifyConnection, which runs on every completed handshake (the former is skipped on resumed TLS 1.3 sessions).

Session resumption is not enabled in EDB Postgres for Kubernetes today, so this has no observable effect, but it future-proofs verification if session caching is introduced later.

#10478

Bug Fixes

DescriptionAddresses
Fixed a failover window where the former primary kept its primary label.

If the former primary returned during failover (for example, after a transient network partition), the -rw service kept routing to it, replicas could reconnect, and committed writes were lost to pg_rewind. The old primary is now labeled unhealthy to isolate it from service traffic during failover.

#10409
Fixed failover not being triggered when the node hosting the primary becomes unreachable.

The operator now reads the pod's Ready condition (flipped to False by the node controller when the kubelet stops reporting) instead ofContainersReady, which stays stale as True in that scenario. Combined with the spurious-failover guard (#10445), failover triggers only when Kubernetes itself marks the pod not Ready.

#10448
Fixed spurious failovers caused by transient failures on the primary's HTTP status endpoint.#10445
Fixed escaping of backslashes and control characters in PostgreSQL configuration values.

Previously, such characters in parameters like log_line_prefix could corrupt the configuration file or be silently stripped at runtime.

#10515
Fixed restore_command construction to shell-quote each argument.

Values such as a destinationPath containing whitespace (for example,s3://my bucket/wal) were word-split by the POSIX shell and passed to the WAL restore tool as separate arguments.

#10518
Tightened recoveryTarget validation in the admission webhook.

targetXID must now be a non-negative 32-bit integer, and targetNamemust be shorter than 64 bytes and free of ASCII control characters. Malformed values are rejected at admission instead of failing later during PostgreSQL recovery.

#10565
Fixed snapshot restores failing when leftover `pgsql_tmp*` directories were present in the data directory.#10447
Fixed a deadlock occurring when PVC storage size and resource requests are changed simultaneously.#10427
← Prev

EDB CloudNativePG Cluster 1.26.0 release notes

↑ Up

EDB CloudNativePG Cluster release notes

Next →

EDB CloudNativePG Cluster 1.25.7 release notes