CVE-2026-44477 - Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE

First Published: 2026/05/12

Important: This assessment evaluates the impact of CVE-2026-44477 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

The CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres.

Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, and subsequently use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod - bypassing the READ ONLY transaction flag, which does not prevent writes to external processes.

Vulnerability details

CVE-ID: CVE-2026-44477

CVE Publish Date: TBD

CVSS Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products and versions

All previous versions of each of the products listed below are affected by this vulnerability. The EDB Cloud Service does not expose custom metrics, which significantly reduces the severity of this vulnerability.

• EDB Cloud Service (formerly BigAnimal)
• Hybrid Manager (HM)
• EDB Postgres® AI for CloudNativePG™
• EDB Postgres® AI for CloudNativePG™ Cluster
• EDB Postgres® AI for CloudNativePG™ Global Cluster

Remediation/fixes

EDB Cloud Service automatically updates according to the Fix Published date below. To remediate the issue in EDB Postgres® AI for CloudNativePG™ Global Cluster, update EDB Postgres® AI for CloudNativePG™ to a fixed version. For all other affected products, update to the latest version of the affected product.

Fixed Product Versions

References

• CVSS Calculator v4.0
• NVD - CVE-2026-44477 Detail
• GitHub Advisory GHSA-423p-g724-fr39

Related information

• EDB Docs - CloudNativePG™