Home / Vulnerability Intelligence / CVE-2026-29089

CVE-2026-29089 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 6, 2026

TimescaleDB - Command Injection

Published: March 6, 2026Updated: March 6, 2026

Overview

TimescaleDB 2.23.0 to 2.25.1 contains a command injection caused by user-writable schemas in search_path allowing function shadowing during extension upgrade, letting malicious users execute arbitrary code, exploit requires user writable schema access.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Malicious users can execute arbitrary code during extension upgrade, potentially compromising the database server.

Mitigation

Upgrade to version 2.25.2 or later.

References

https://github.com/timescale/timescaledb/commit/9a8f7f8bdeb99e6abae0786ffe526791a8628ce3
https://github.com/timescale/timescaledb/pull/9331
https://github.com/timescale/timescaledb/releases/tag/2.25.2
https://github.com/timescale/timescaledb/security/advisories/GHSA-vgp2-jj5c-828m

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29089
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new

CWE

CWE-426

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H