[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-44477":6},{"stargazers_count":4,"fetched_at":5},6,"2026-05-28T19:18:46.832Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":176,"aliases":177,"duplicate_of":9,"upstream":179,"downstream":180,"duplicates":181,"related":182,"reserved_at":9,"published_at":185,"modified_at":186,"state":187,"summary":188,"references_raw":195,"kevs":222,"epss":9,"epss_history":223,"metrics":224,"affected":233},"CVE-2026-44477","CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3.",null,[11,32,40],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-250","Execution with Unnecessary Privileges","The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.","weakness","Draft","Base","Medium",[20,24,28],{"id":21,"name":22,"techniques":23},"CAPEC-104","Cross Zone Scripting",[],{"id":25,"name":26,"techniques":27},"CAPEC-470","Expanding Control over the Operating System from the Database",[],{"id":29,"name":30,"techniques":31},"CAPEC-69","Target Programs with Elevated Privileges",[],{"_key":33,"id":33,"name":34,"description":35,"type":15,"status":36,"abstraction":37,"likelihood_of_exploit":38,"capec":39},"CWE-271","Privilege Dropping / Lowering Errors","The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.","Incomplete","Class","High",[],{"_key":41,"id":41,"name":42,"description":43,"type":15,"status":44,"abstraction":17,"likelihood_of_exploit":38,"capec":45},"CWE-426","Untrusted Search Path","The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.","Stable",[46],{"id":47,"name":48,"techniques":49},"CAPEC-38","Leveraging/Manipulating Configuration File Search Paths",[50,136],{"id":51,"name":52,"tactics":53,"countermeasures":69},"T1574.007","Path Interception by PATH Environment Variable",[54,57,60,63,66],{"id":55,"name":56},"TA0110","Persistence",{"id":58,"name":59},"TA0111","Privilege Escalation",{"id":61,"name":62},"TA0030","Defense Evasion",{"id":64,"name":65},"TA0005","Stealth",{"id":67,"name":68},"TA0104","Execution",[70,75,79,83,87,92,97,102,107,112,116,120,124,128,132],{"id":71,"name":72,"tactic":73},"D3-FA","File Analysis",{"name":74},"Detect",{"id":76,"name":77,"tactic":78},"D3-FIM","File Integrity Monitoring",{"name":74},{"id":80,"name":81,"tactic":82},"D3-DA","Dynamic Analysis",{"name":74},{"id":84,"name":85,"tactic":86},"D3-EFA","Emulated File Analysis",{"name":74},{"id":88,"name":89,"tactic":90},"D3-FEV","File Eviction",{"name":91},"Evict",{"id":93,"name":94,"tactic":95},"D3-DF","Decoy File",{"name":96},"Deceive",{"id":98,"name":99,"tactic":100},"D3-FE","File Encryption",{"name":101},"Harden",{"id":103,"name":104,"tactic":105},"D3-RF","Restore File",{"name":106},"Restore",{"id":108,"name":109,"tactic":110},"D3-CF","Content Filtering",{"name":111},"Isolate",{"id":113,"name":114,"tactic":115},"D3-LFP","Local File Permissions",{"name":111},{"id":117,"name":118,"tactic":119},"D3-RFAM","Remote File Access Mediation",{"name":111},{"id":121,"name":122,"tactic":123},"D3-CQ","Content Quarantine",{"name":111},{"id":125,"name":126,"tactic":127},"D3-CM","Content Modification",{"name":111},{"id":129,"name":130,"tactic":131},"D3-EAL","Executable Allowlisting",{"name":111},{"id":133,"name":134,"tactic":135},"D3-EDL","Executable Denylisting",{"name":111},{"id":137,"name":138,"tactics":139,"countermeasures":145},"T1574.009","Path Interception by Unquoted Path",[140,141,142,143,144],{"id":55,"name":56},{"id":58,"name":59},{"id":61,"name":62},{"id":64,"name":65},{"id":67,"name":68},[146,148,150,152,154,156,158,160,162,164,166,168,170,172,174],{"id":71,"name":72,"tactic":147},{"name":74},{"id":76,"name":77,"tactic":149},{"name":74},{"id":80,"name":81,"tactic":151},{"name":74},{"id":84,"name":85,"tactic":153},{"name":74},{"id":88,"name":89,"tactic":155},{"name":91},{"id":93,"name":94,"tactic":157},{"name":96},{"id":98,"name":99,"tactic":159},{"name":101},{"id":103,"name":104,"tactic":161},{"name":106},{"id":108,"name":109,"tactic":163},{"name":111},{"id":113,"name":114,"tactic":165},{"name":111},{"id":117,"name":118,"tactic":167},{"name":111},{"id":121,"name":122,"tactic":169},{"name":111},{"id":125,"name":126,"tactic":171},{"name":111},{"id":129,"name":130,"tactic":173},{"name":111},{"id":133,"name":134,"tactic":175},{"name":111},[],[178],"GHSA-423p-g724-fr39",[],[],[],[183],{"_key":184},"CGA-9X7Q-44F8-4RQF","2026-05-28T15:46:12.241Z","2026-05-28T17:28:44.136Z","Received",{"cisa_kev":189,"cisa_ransomware":189,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":190,"severity_score":191,"severity_version":192,"severity_source":193,"severity_vector":194,"severity_status":187},false,"critical",9.4,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",[196,204,209,214,218],{"url":197,"sources":198,"tags":201},"https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39",[199,193,200],"osv_go","nvd",[202,203],"WEB","X Refsource CONFIRM",{"url":205,"sources":206,"tags":207},"https://github.com/cloudnative-pg/cloudnative-pg/pull/10576",[199,193,200],[202,208],"X Refsource MISC",{"url":210,"sources":211,"tags":212},"https://github.com/cloudnative-pg/cloudnative-pg",[199],[213],"PACKAGE",{"url":215,"sources":216,"tags":217},"https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.28.3",[199],[202],{"url":219,"sources":220,"tags":221},"https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.29.1",[199],[202],[],[],[225,227,230],{"source":199,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":226},{"baseScore":191,"baseSeverity":9,"vectorString":194,"impactScore":9,"exploitabilityScore":9},{"source":193,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":228},{"baseScore":191,"baseSeverity":229,"vectorString":194,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":200,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":231},{"baseScore":191,"baseSeverity":229,"vectorString":232,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[234,248],{"ecosystem":9,"name":235,"vendor":235,"product":235,"cpe_part":236,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":237},"cloudnative-pg","a",[238,243],{"version":239,"is_range":240,"range_type":193,"version_start":9,"version_start_type":9,"version_end":241,"version_end_type":242,"fixed_in":9},"\u003C 1.28.3",true,"1.28.3","excluding",{"version":244,"is_range":240,"range_type":193,"version_start":245,"version_start_type":246,"version_end":247,"version_end_type":242,"fixed_in":9},">= 1.29.0, \u003C 1.29.1","1.29.0","including","1.29.1",{"ecosystem":249,"name":250,"vendor":251,"product":235,"cpe_part":9,"purl_type":252,"purl_namespace":251,"purl_name":235,"source":9,"versions":253},"Go","github.com/cloudnative-pg/cloudnative-pg","github.com/cloudnative-pg","golang",[254,257],{"version":255,"is_range":240,"range_type":256,"version_start":9,"version_start_type":9,"version_end":241,"version_end_type":242,"fixed_in":9},"lt1_28_3","semver",{"version":258,"is_range":240,"range_type":256,"version_start":245,"version_start_type":246,"version_end":247,"version_end_type":242,"fixed_in":9},"gte1_29_0_lt1_29_1"]