Description
The CloudNativePG (CNPG) instance manager opens superuser connections to managed PostgreSQL databases without pinning search_path in the connection startup packet. A role holding DATABASE OWNER on any managed database — a role CNPG creates by default at cluster bootstrap — can plant attacker-controlled overloads of built-in operators (for example =, >) in the public schema and re-target the database- or role-level search_path so those overloads resolve before pg_catalog.
Vulnerability Information
- Product / Framework: CloudNative PostgreSQL
- Vendor Domain: cloudnative-pg.io
- Vulnerability Type: Misconfiguration
- CVE Details: View Full CVE Details →