← Volver a CVEs

CVE-2026-29089

HIGH

8.8

Descripcion

TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database objects (tables, functions, operators). If the search_path includes user-writable schemas a malicious user can create functions in that schema that shadow builtin postgres functions and will be called instead of the postgres functions leading to arbitrary code execution during extension upgrade. This issue has been patched in version 2.25.2.

Detalles CVE

Puntuacion CVSS v3.18.8

SeveridadHIGH

Vector CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vector de ataqueLOCAL

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado3/6/2026

Ultima modificacion3/18/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

timescale:timescaledb

Debilidades (CWE)

CWE-426

Referencias

https://github.com/timescale/timescaledb/commit/9a8f7f8bdeb99e6abae0786ffe526791a8628ce3(security-advisories@github.com)

https://github.com/timescale/timescaledb/pull/9331(security-advisories@github.com)

https://github.com/timescale/timescaledb/releases/tag/2.25.2(security-advisories@github.com)

https://github.com/timescale/timescaledb/security/advisories/GHSA-vgp2-jj5c-828m(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.