Home / Vulnerability Intelligence / CVE-2026-29089

CVE-2026-29089 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 9, 2026

TimescaleDB - Command Injection

Published: March 6, 2026Updated: March 9, 2026

Overview

TimescaleDB 2.23.0 to 2.25.1 contains a command injection caused by user-writable schemas in search_path allowing function shadowing during extension upgrade, letting malicious users execute arbitrary code, exploit requires user writable schema access.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 1.2%(Probability of exploitation in next 30 days)

Impact

Malicious users can execute arbitrary code during extension upgrade, potentially compromising the database server.

Mitigation

Upgrade to version 2.25.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-29089 - High (8.8) TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database objects (tables, functions, oper... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29089/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-29089
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: unconfirmed
EPSS: 1.2%
Social Posts: 1

CWE

CWE-426

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

1.2%Probability of exploitation in the next 30 days