Description
TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database objects (tables, functions, operators). If the search_path includes user-writable schemas a malicious user can create functions in that schema that shadow builtin postgres functions and will be called instead of the postgres functions leading to arbitrary code execution during extension upgrade. This issue has been patched in version 2.25.2.
Published: 2026-03-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution during extension upgrade
Action: Apply Patch
AI Analysis

Impact

A flaw in TimescaleDB between versions 2.23.0 and 2.25.1 allows a PostgreSQL user who has write access to a schema that appears in the database’s search_path to create a function with the same name as a built‑in PostgreSQL function. During an extension upgrade the server will resolve the function from the user‑writable schema instead of the intended PostgreSQL implementation, enabling the attacker to execute arbitrary code on the database host. This translates to a high‑severity vulnerability classified as CWE‑426 and CWE‑427. The impact is a complete compromise of the database system on the host where the database process runs.

Affected Systems

The affected product is TimescaleDB, a PostgreSQL extension for time‑series data. All installed instances of TimescaleDB from version 2.23.0 up through 2.25.1 are vulnerable. The vendor responsible for the fix is Timescale, and the fix is incorporated in release 2.25.2.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity, while the EPSS score is less than 1%, suggesting a low probability of active exploitation at present. The flaw has not been listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector involves a user or application with database permissions leveraging a writable schema in the search_path; the attacker must already have database access to create the malicious function, after which the code runs with the privileges of the database server process during an upgrade. The risk is mitigated by applying the published patch, but if immediate upgrade is not feasible, deanonymizing or dropping the conflicting functions and tightening the search_path before upgrade can provide a temporary safeguard.

Generated by OpenCVE AI on April 16, 2026 at 11:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TimescaleDB to version 2.25.2 or later to remove the flaw
  • Remove or rename any user‑defined functions that shadow PostgreSQL functions before performing an extension upgrade
  • Restrict the database search_path to exclude user‑writable schemas during the upgrade process

Generated by OpenCVE AI on April 16, 2026 at 11:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:timescale:timescaledb:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Timescale
Timescale timescaledb
Vendors & Products Timescale
Timescale timescaledb

Sat, 07 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-427
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database objects (tables, functions, operators). If the search_path includes user-writable schemas a malicious user can create functions in that schema that shadow builtin postgres functions and will be called instead of the postgres functions leading to arbitrary code execution during extension upgrade. This issue has been patched in version 2.25.2.
Title TimescaleDB uses untrusted search path during extension upgrade
Weaknesses CWE-426
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Timescale Timescaledb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:56:36.996Z

Reserved: 2026-03-03T21:54:06.707Z

Link: CVE-2026-29089

cve-icon Vulnrichment

Updated: 2026-03-06T17:57:12.804Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T18:16:19.967

Modified: 2026-03-18T18:50:46.093

Link: CVE-2026-29089

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T17:06:34Z

Links: CVE-2026-29089 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses