CloudNativePG versions 1.29.1 and 1.28.3 have been released as high-priority maintenance updates. The primary fix addresses CVE-2026-44477, the first CVE assigned against CloudNativePG, which allowed superuser privilege escalation and arbitrary OS command execution inside the primary pod. The vulnerability stemmed from the metrics exporter connecting as the postgres superuser and using SET ROLE pg_monitor for demotion — an insufficient guard since RESET ROLE could recover full privileges. The fix introduces a dedicated cnpg_metrics_exporter role with pg_monitor privileges only. Three HA failover bugs are also resolved, including a label retention issue that could route writes to a former primary during network partitions. The releases also bundle pgx/v5 v5.9.2 (fixing memory-safety and SQL injection CVEs), Go 1.26.3 runtime security fixes, and improved OCI 1.1-compliant SBOM attestations. All users are urged to upgrade immediately.
Sort: