So, why a role with NOCREATEDB can create a role who can create DB?
Cannot answer why but given it is documented as working this way this isn’t a bug.
“ Be careful with the CREATEROLE
privilege. There is no concept of inheritance for the privileges of a CREATEROLE
-role. That means that even if a role does not have a certain privilege but is allowed to create other roles, it can easily create another role with different privileges than its own (except for creating roles with superuser privileges)”
David J.