fix(deps): update module github.com/cloudnative-pg/cloudnative-pg to v1.29.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cloudnative-pg/cloudnative-pg	v1.29.0 → v1.29.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE

CVE-2026-44477 / GHSA-423p-g724-fr39

More information

Details

Impact

The CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. That residual superuser identity is the foothold for the rest of the chain.

Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes.

Two exploitation paths follow from this root cause.

Path 1: custom metric queries with unqualified identifiers (all supported releases)

A database user who owns a schema on the search_path of any scraped database can plant a shadow object whose name matches an unqualified identifier in a custom metric query. When the exporter next evaluates that query, the shadow expression executes inside the session_user = postgres scrape session, giving the attacker PostgreSQL superuser privileges and OS command execution inside the primary pod within one scrape interval (≤30 s). Exploitability requires a custom metric query that contains an unqualified relation or function reference.

Although search_path shadowing of unqualified identifiers is the most direct case, the underlying bug is that any expression evaluated inside the scrape session is a superuser code path. Other exploitable shapes include user-defined functions, operators or casts resolved during the scrape, joins or subqueries against user-owned tables and views, and index expressions or RLS policies on read-touched objects.

Path 2: stock default-monitoring.yaml (all supported releases, no custom metrics required)

The pg_extensions metric shipped in default-monitoring.yaml used an unqualified current_database() call and ran against every user database (target_databases: '*'). Any non-superuser who owns a user database (including the default app role created by bootstrap.initdb) could shadow current_database() and trigger the full escalation chain against a stock CNPG deployment on the first scrape after the shadow was planted.

Combined impact

The chain yields privilege escalation from a low-privileged database role (e.g. the default app role) to PostgreSQL superuser, plus arbitrary OS command execution as the postgres user inside the primary pod, all within one scrape interval. A web application SQL injection vulnerability in an app backed by a CNPG cluster is therefore sufficient to pivot to database-pod RCE.

Who is impacted

• All deployments on any supported release with default monitoring enabled are affected by Path 2.
• All deployments on any supported release that use custom metric queries containing unqualified catalog references are affected by Path 1.
• Multi-tenant platforms that allow customers to supply or influence custom metric query bodies are at the highest risk for Path 1.

Patches

Three separate patches address the vulnerability.

Patch 1: PR #​10576 "schema-qualify catalog references in default monitoring queries and documentation samples"

Schema-qualifies all unqualified pg_catalog function and view references in the shipped default-monitoring.yaml and in documentation examples. This closes Path 2 in operator-shipped configuration and removes the unqualified-identifier attack surface from all operator-shipped metric queries. Operators who clone or copy default-monitoring.yaml into custom monitoring ConfigMaps, or have copy-pasted unqualified queries elsewhere, must re-qualify those queries themselves.

Backported to all currently supported releases:

• v1.29.x (x ≥ 1)
• v1.28.x (x ≥ 3)

Patch 2: "dedicated cnpg_metrics_exporter role with pg_ident.conf peer mapping"

Introduces a dedicated cnpg_metrics_exporter PostgreSQL role (granted pg_monitor, no superuser privileges) and maps it in pg_ident.conf via peer authentication on the local Unix socket, following the same pattern already used for cnpg_pooler_pgbouncer. The metrics exporter connects as this role instead of postgres, so session_user is never a superuser and RESET ROLE has no escalation effect. This eliminates the root cause entirely.

Demoting the session at the SQL level (via SET SESSION AUTHORIZATION pg_monitor) is not sufficient: the privilege check for SET SESSION AUTHORIZATION is whether the authenticated user is a superuser, not the current session_user. With the connection still authenticated as postgres, any SQL in the session can run RESET SESSION AUTHORIZATION and recover the original superuser identity. This is the same recovery primitive as RESET ROLE, one layer up. Only changing the authenticated user closes the loop.

With this change in place, the original chain breaks at every step: RESET ROLE and RESET SESSION AUTHORIZATION cannot recover superuser, and COPY ... TO PROGRAM requires a privilege pg_monitor does not grant. As defense in depth, the monitoring transaction also prepends pg_catalog to the connection's search_path, so unqualified catalog identifiers cannot resolve to user-planted shadow objects.

This patch changes the connection identity but not how queries are evaluated. Custom metric queries within pg_monitor's scope (catalog reads, pg_stat_* views, settings) continue to work without modification. Queries that previously relied on superuser-level access (reading user-owned tables not granted to cnpg_metrics_exporter, or superuser-only catalogs such as pg_authid or pg_subscription) will fail and need explicit GRANT statements to cnpg_metrics_exporter.

The role is created and maintained with PASSWORD NULL; any password set out-of-band is cleared on the next reconcile, so the role cannot be authenticated by password regardless of operator pre-creation.

For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnpg_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades or the role is created manually (see the monitoring documentation).

The patch will be backported to all currently supported releases:

• v1.29.x (x ≥ 1)
• v1.28.x (x ≥ 3)

Workarounds

If upgrading immediately is not possible:

1. Schema-qualify all identifiers in custom metric queries. Use explicit pg_catalog. prefixes for all catalog functions and views (e.g. pg_catalog.current_database(), pg_catalog.now()). This is a partial mitigation: it closes the search_path-shadowing shape in operator- and user-supplied metric bodies, but other expression shapes (user-defined functions, operators or casts; joins or subqueries on user-owned tables and views; RLS policies on read-touched objects) remain superuser code paths until Patch 2 lands.

2. Restrict database ownership. Ensure only fully trusted roles own user databases in scraped clusters. The exploit requires the ability to plant an object on the metrics exporter's search_path in a scraped database, typically by owning the database (and therefore public via pg_database_owner) or by holding CREATE on a schema already reachable through search_path.

   PG <15 caveat: public grants CREATE to PUBLIC by default before PostgreSQL 15, so any authenticated role in a scraped database can plant a shadow object regardless of ownership.

3. Limit the scope of target_databases: '*' queries. Avoid target_databases: '*' unless every database in the cluster, and every role that owns one, is fully trusted. Where possible, restrict target_databases to specific, known-safe databases.

4. Do not expose metric query SQL to untrusted users. Multi-tenant platforms that allow customers to supply or influence custom metric query bodies should treat this as a critical trust boundary until the architectural fix is released.

References

• Fix (Patch 1): PR #​10576 "schema-qualify catalog references in default monitoring queries and documentation samples"
• Fix (Patch 2): "dedicated cnpg_metrics_exporter role with pg_ident.conf peer mapping"
• Reported by: Mehmet Ince

Severity

• CVSS Score: 9.4 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39
• https://github.com/cloudnative-pg/cloudnative-pg/pull/10576
• https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.28.3
• https://github.com/cloudnative-pg/cloudnative-pg/releases/tag/v1.29.1
• https://github.com/advisories/GHSA-423p-g724-fr39

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

cloudnative-pg/cloudnative-pg (github.com/cloudnative-pg/cloudnative-pg)

v1.29.1

Compare Source

Release date: May 8, 2026

Security and Supply Chain

• CVE-2026-44477 / GHSA-423p-g724-fr39: metrics exporter privilege escalation: the metrics exporter no longer authenticates as the postgres superuser. It now uses a dedicated cnpg_metrics_exporter role with pg_monitor privileges only, closing a chain that let a low-privilege database user gain PostgreSQL superuser. (GHSA-423p-g724-fr39)

  Upgrade impact: custom monitoring queries that read user-owned tables, or use target_databases: '*' against databases where PUBLIC CONNECT has been revoked, need explicit GRANT statements to cnpg_metrics_exporter. See "Custom query privileges and safety" and "Manually creating the metrics exporter role" in the monitoring documentation.

  For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnpg_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades. The manual-recovery section linked above also covers replica clusters.

• Schema-qualified catalog references in default monitoring queries: hardened the shipped monitoring configuration and documentation samples by qualifying every pg_catalog object explicitly. Unqualified references resolve through search_path, which a database user can manipulate to shadow built-in objects. (#​10576)

• Discoverable SBOM and provenance attestations: SBOM and SLSA provenance attached to operator container images now follow the OCI 1.1 Referrers spec, so standard registry tooling and supply-chain scanners can discover them automatically. (#​10601)

• CVE remediation in github.com/jackc/pgx/v5: bumped to v5.9.2 to pick up upstream fixes for CVE-2026-33816 (memory-safety in pgproto3) and GHSA-j88v-2chj-qfwx (SQL injection via simple-protocol dollar-quoted string handling). (#​10437, #​10499)

• CVE remediation in the Go runtime: built with Go 1.26.3 to pick up upstream fixes in crypto/x509, crypto/tls, net/http, and net (CVE-2026-32280, CVE-2026-32281, CVE-2026-33810, CVE-2026-33814, CVE-2026-33811, CVE-2026-39825). (#​10463, #​10647)

• Build pipeline hardening: the Go 1.26.3 bump also addresses CVE-2026-42501 (cmd/go module-checksum validation), reducing supply-chain exposure during release builds. The affected code paths are not reachable from the running operator. (#​10647)

Changes

• Switched TLS peer verification from VerifyPeerCertificate to VerifyConnection, which runs on every completed handshake (the former is skipped on resumed TLS 1.3 sessions). Session resumption is not enabled in CloudNativePG today, so this has no observable effect, but it future-proofs verification if session caching is introduced later. (#​10478)

Fixes

• Fixed a failover window where the former primary kept its primary label. If it returned during failover (for example, after a transient network partition), the -rw service kept routing to it, replicas could reconnect, and committed writes were lost to pg_rewind. The old primary is now labeled unhealthy to isolate it from service traffic during failover. (#​10409)

• Fixed failover not being triggered when the node hosting the primary becomes unreachable. The operator now reads the pod's Ready condition (flipped to False by the node controller when the kubelet stops reporting) instead of ContainersReady, which stays stale as True in that scenario. Combined with the spurious-failover guard (#​10445), failover triggers only when Kubernetes itself marks the pod not Ready. (#​10448)

• Fixed spurious failovers caused by transient failures on the primary's HTTP status endpoint. (#​10445)

• Fixed escaping of backslashes and control characters in PostgreSQL configuration values. Previously, such characters in parameters like log_line_prefix could corrupt the configuration file or be silently stripped at runtime. (#​10515)

• Fixed restore_command construction to shell-quote each argument. Values such as a destinationPath containing whitespace (for example, s3://my bucket/wal) were word-split by the POSIX shell and passed to the WAL restore tool as separate arguments. (#​10518)

• Tightened recoveryTarget validation in the admission webhook: targetXID must now be a non-negative 32-bit integer, and targetName must be shorter than 64 bytes and free of ASCII control characters. Malformed values are rejected at admission instead of failing later during PostgreSQL recovery. (#​10565)

• Fixed snapshot restores failing when leftover pgsql_tmp* directories were present in the data directory. (#​10447)

• Fixed a deadlock occurring when PVC storage size and resource requests are changed simultaneously. (#​10427)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 21 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.26.0 -> 1.26.3
github.com/Masterminds/semver/v3	v3.4.0 -> v3.5.0
github.com/fxamacker/cbor/v2	v2.9.0 -> v2.9.1
github.com/go-openapi/jsonpointer	v0.22.4 -> v0.23.1
github.com/go-openapi/jsonreference	v0.21.4 -> v0.21.5
github.com/go-openapi/swag	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/cmdutils	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/conv	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/fileutils	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/jsonname	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/jsonutils	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/loading	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/mangling	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/netutils	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/stringutils	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/typeutils	v0.25.4 -> v0.26.0
github.com/go-openapi/swag/yamlutils	v0.25.4 -> v0.26.0
go.uber.org/zap	v1.27.1 -> v1.28.0
go.yaml.in/yaml/v2	v2.4.3 -> v2.4.4
golang.org/x/time	v0.14.0 -> v0.15.0
k8s.io/kube-openapi	v0.0.0-20260317180543-43fb72c5454a -> v0.0.0-20260502001324-b7f5293f4787
sigs.k8s.io/structured-merge-diff/v6	v6.3.2 -> v6.4.0