CVE-2026-29089
Function Shadowing Vulnerability in TimescaleDB Enables Code Execution
Publication date: 2026-03-06
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| timescale | timescaledb | From 2.23.0 (inc) to 2.25.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29089 is a security vulnerability in TimescaleDB versions 2.23.0 to 2.25.1 related to how PostgreSQL uses the search_path setting to locate unqualified database objects like tables and functions.
If the search_path includes schemas writable by users, a malicious user can create functions in those schemas that shadow built-in PostgreSQL functions. During an extension upgrade, these malicious functions may be executed instead of the legitimate ones, leading to arbitrary code execution.
This vulnerability allows a low-privileged attacker to escalate privileges to superuser level by exploiting the untrusted search path during extension upgrades.
The issue was fixed in TimescaleDB version 2.25.2 by explicitly setting the search_path at the start of all SQL scripts involved in installation, upgrade, and downgrade processes to prevent schema path manipulation.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution during extension upgrades in TimescaleDB if exploited.
An attacker with low privileges can create malicious functions that shadow built-in PostgreSQL functions, which are then executed with elevated privileges during the upgrade process.
The impact includes potential full system compromise with superuser privileges, resulting in high confidentiality, integrity, and availability losses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the TimescaleDB version in use and inspecting the database search_path settings for user-writable schemas that could be exploited.
You can detect if your TimescaleDB installation is vulnerable by verifying the version is between 2.23.0 and 2.25.1, as these versions are affected.
To check the TimescaleDB version, you can run the following SQL command in your PostgreSQL environment:
- SELECT default_version, installed_version FROM pg_available_extensions WHERE name = 'timescaledb';
To inspect the current search_path setting and identify if it includes user-writable schemas, use:
- SHOW search_path;
If the search_path includes schemas writable by non-superusers, it may indicate exposure to this vulnerability.
Additionally, reviewing the database schemas for any suspicious user-created functions that could shadow built-in PostgreSQL functions is recommended.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade TimescaleDB to version 2.25.2 or later, where the vulnerability has been fixed.
This fix ensures that the SQL search_path is explicitly set to a safe value (pg_catalog, pg_temp) at the very beginning of all SQL scripts during installation, upgrade, or downgrade, preventing malicious schema injection.
If immediate upgrading is not possible, a temporary workaround is to block extension upgrades, as the vulnerability resides in the upgrade process.
Review and restrict the search_path configuration to exclude any user-writable schemas to reduce risk.
Ensure that only trusted users have write permissions on schemas included in the search_path.