CVE-2026-29089

Name of the Vulnerable Software and Affected Versions TimescaleDB versions 2.23.0 through 2.25.1

Description TimescaleDB is a time-series database that functions as a Postgres extension. A flaw exists where PostgreSQL’s use of the search path setting can allow a malicious user to create functions in user-writable schemas. These functions can shadow built-in Postgres functions and be executed instead during extension upgrades, potentially leading to arbitrary code execution. The issue stems from unqualified database object lookups when the search path includes schemas accessible for writing.

Recommendations Upgrade to TimescaleDB version 2.25.2 or later.