CVE-2026-29089
Published: 06 March 2026
Summary
CVE-2026-29089 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Timescale Timescaledb. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading TimescaleDB to version 2.25.2 or later, eliminating the search_path exploitation during extension upgrades.
Enforces secure configuration of PostgreSQL search_path to exclude user-writable schemas, preventing resolution to malicious shadowed functions.
Implements least privilege to restrict low-privileged users from creating functions in schemas included in the search_path, blocking the initial malicious object placement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability description directly describes exploitation of an untrusted search_path (CWE-426) by a low-privileged database user to achieve arbitrary code execution during a privileged extension upgrade operation, resulting in full database server compromise with scope change. This precisely matches the definition of T1068 Exploitation for Privilege Escalation.
NVD Description
TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database objects (tables, functions, operators). If the search_path includes user-writable schemas a malicious…
more
user can create functions in that schema that shadow builtin postgres functions and will be called instead of the postgres functions leading to arbitrary code execution during extension upgrade. This issue has been patched in version 2.25.2.
Deeper analysisAI
CVE-2026-29089 is a high-severity vulnerability (CVSS 8.8) affecting TimescaleDB, a time-series database extension for PostgreSQL, in versions 2.23.0 through 2.25.1. The issue stems from PostgreSQL's use of the search_path setting to resolve unqualified database objects such as tables, functions, and operators. If the search_path includes user-writable schemas, a malicious user can create functions in that schema to shadow built-in PostgreSQL functions, which are then invoked instead during TimescaleDB extension upgrades, resulting in arbitrary code execution. This flaw is classified under CWE-426 (Untrusted Search Path).
A low-privileged user (PR:L) with local access (AV:L) to the PostgreSQL instance can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By placing a malicious function in a writable schema within the search_path, the attacker tricks the extension upgrade process into executing their code instead of legitimate PostgreSQL functions. Successful exploitation grants high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with a changed scope (S:C), potentially allowing full compromise of the database server.
TimescaleDB has addressed this vulnerability in version 2.25.2, as detailed in the project's security advisory (GHSA-vgp2-jj5c-828m), release notes, associated pull request (#9331), and patching commit (9a8f7f8bdeb99e6abae0786ffe526791a8628ce3). Security practitioners should upgrade affected installations to 2.25.2 or later to mitigate the risk.
Details
- CWE(s)