Executive Summary

CVE-2026-29089 is a security vulnerability in TimescaleDB versions 2.23.0 to 2.25.1 related to how PostgreSQL uses the search_path setting to locate unqualified database objects like tables and functions.

If the search_path includes schemas writable by users, a malicious user can create functions in those schemas that shadow built-in PostgreSQL functions. During an extension upgrade, these malicious functions may be executed instead of the legitimate ones, leading to arbitrary code execution.

This vulnerability allows a low-privileged attacker to escalate privileges to superuser level by exploiting the untrusted search path during extension upgrades.

The issue was fixed in TimescaleDB version 2.25.2 by explicitly setting the search_path at the start of all SQL scripts involved in installation, upgrade, and downgrade processes to prevent schema path manipulation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary code execution during extension upgrades in TimescaleDB if exploited.

An attacker with low privileges can create malicious functions that shadow built-in PostgreSQL functions, which are then executed with elevated privileges during the upgrade process.

The impact includes potential full system compromise with superuser privileges, resulting in high confidentiality, integrity, and availability losses.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking the TimescaleDB version in use and inspecting the database search_path settings for user-writable schemas that could be exploited.

You can detect if your TimescaleDB installation is vulnerable by verifying the version is between 2.23.0 and 2.25.1, as these versions are affected.

To check the TimescaleDB version, you can run the following SQL command in your PostgreSQL environment:

• SELECT default_version, installed_version FROM pg_available_extensions WHERE name = 'timescaledb';

To inspect the current search_path setting and identify if it includes user-writable schemas, use:

• SHOW search_path;

If the search_path includes schemas writable by non-superusers, it may indicate exposure to this vulnerability.

Additionally, reviewing the database schemas for any suspicious user-created functions that could shadow built-in PostgreSQL functions is recommended.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade TimescaleDB to version 2.25.2 or later, where the vulnerability has been fixed.

This fix ensures that the SQL search_path is explicitly set to a safe value (pg_catalog, pg_temp) at the very beginning of all SQL scripts during installation, upgrade, or downgrade, preventing malicious schema injection.

If immediate upgrading is not possible, a temporary workaround is to block extension upgrades, as the vulnerability resides in the upgrade process.

Review and restrict the search_path configuration to exclude any user-writable schemas to reduce risk.

Ensure that only trusted users have write permissions on schemas included in the search_path.

Useful 0 Not Useful 0