CVE-2026-29089 Overview
CVE-2026-29089 is an Untrusted Search Path vulnerability affecting TimescaleDB, a high-performance time-series database packaged as a PostgreSQL extension. The vulnerability exists in versions 2.23.0 through 2.25.1 and stems from improper handling of the PostgreSQL search_path setting during extension upgrades.
PostgreSQL uses the search_path setting to locate unqualified database objects such as tables, functions, and operators. When this path includes user-writable schemas, a malicious user with database access can create functions that shadow built-in PostgreSQL functions. During extension upgrade operations, these malicious functions execute instead of the legitimate PostgreSQL functions, enabling arbitrary code execution with the privileges of the database user performing the upgrade.
Critical Impact
Local attackers with database access can achieve arbitrary code execution during TimescaleDB extension upgrades by exploiting search_path poisoning, potentially leading to full database compromise and container escape scenarios.
Affected Products
- TimescaleDB versions 2.23.0 through 2.25.1
- PostgreSQL installations with TimescaleDB extension
- Systems where user-writable schemas are included in the search_path
Discovery Timeline
- 2026-03-06 - CVE-2026-29089 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29089
Vulnerability Analysis
This vulnerability falls under CWE-426 (Untrusted Search Path), a category of flaws where an application searches for critical resources using an externally-supplied or incompletely-qualified search path that could resolve to unintended resources.
In the context of TimescaleDB, the extension upgrade scripts execute SQL statements that reference PostgreSQL functions without fully qualifying them (e.g., calling some_function() instead of pg_catalog.some_function()). PostgreSQL resolves these function calls by iterating through the schemas listed in search_path until it finds a matching function.
When the search_path includes a schema that a regular user can write to (such as public), an attacker can pre-plant malicious functions with the same names as internal PostgreSQL functions. When an administrator subsequently upgrades the TimescaleDB extension, the upgrade scripts inadvertently invoke the attacker's functions instead of the legitimate ones, executing arbitrary code with elevated privileges.
Root Cause
The root cause lies in the SQL scripts used during TimescaleDB extension upgrades not setting a secure search_path at the beginning of execution. Without explicitly setting the search_path to trusted schemas only (such as pg_catalog and pg_temp), the scripts inherit the session's current search_path, which may include user-writable schemas.
The fix ensures that header.sql (which sets a secure search_path) is included at the very beginning of downgrade and upgrade scripts, preventing any subsequent SQL statements from being hijacked through search path poisoning.
Attack Vector
The attack requires local access to the PostgreSQL database with permissions to create functions in a schema included in the search_path. The attacker creates malicious functions that shadow PostgreSQL built-in functions used by the TimescaleDB upgrade scripts. When an administrator runs the extension upgrade, the malicious functions execute with the administrator's privileges, achieving arbitrary code execution.
-- Security patch in cmake/GenerateScripts.cmake
-- Ensure search_path is set before anything else in SQL scripts
include(
${CMAKE_BINARY_DIR}/v${_downgrade_TARGET_VERSION}/cmake/ScriptFiles.cmake)
- set(_downgrade_PRE_FILES ${PRE_DOWNGRADE_FILES})
+ set(_downgrade_PRE_FILES "header.sql;${PRE_DOWNGRADE_FILES}")
set(_downgrade_POST_FILES "${PRE_INSTALL_FUNCTION_FILES};${SOURCE_FILES}" ${SET_POST_UPDATE_STAGE}
${POST_UPDATE_FILES} ${UNSET_UPDATE_STAGE})
Source: GitHub Commit Update
Detection Methods for CVE-2026-29089
Indicators of Compromise
- Unexpected functions created in the public schema or other user-writable schemas that match PostgreSQL built-in function names
- Recent function creation activity in schemas included in the search_path prior to extension upgrades
- Unusual database user activity patterns, particularly function creation by non-administrative users
Detection Strategies
- Query pg_proc and pg_namespace to identify user-created functions that shadow system functions
- Monitor CREATE FUNCTION statements in PostgreSQL logs, particularly those targeting the public schema
- Implement database activity monitoring to detect function creation in production environments
- Review TimescaleDB extension version to confirm whether vulnerable versions (2.23.0-2.25.1) are deployed
Monitoring Recommendations
- Enable PostgreSQL statement logging (log_statement = 'ddl') to capture all DDL operations
- Configure alerting for function creation events in schemas other than application-specific ones
- Establish baseline monitoring for extension upgrade operations to detect anomalies
- Audit search_path configurations across database sessions to identify insecure settings
How to Mitigate CVE-2026-29089
Immediate Actions Required
- Upgrade TimescaleDB to version 2.25.2 or later immediately
- Review existing functions in user-writable schemas for any suspicious entries that shadow PostgreSQL built-ins
- Temporarily remove user-writable schemas from the search_path before performing any extension maintenance
- Audit database user permissions to restrict function creation privileges where unnecessary
Patch Information
TimescaleDB has released version 2.25.2 which addresses this vulnerability by ensuring the header.sql file (which sets a secure search_path) is included at the beginning of all upgrade and downgrade scripts. This prevents search path poisoning attacks during extension operations.
For detailed patch information, refer to:
Workarounds
- Set a secure search_path explicitly before performing extension upgrades: SET search_path TO pg_catalog, pg_temp;
- Revoke CREATE privileges on the public schema from non-administrative users
- Configure the default search_path in postgresql.conf to exclude user-writable schemas
- Use fully qualified function names in any custom SQL scripts interacting with TimescaleDB
# Configuration example - Secure search_path in postgresql.conf
# Add or modify these settings in postgresql.conf
# Set a restricted default search_path for all sessions
search_path = 'pg_catalog, "$user"'
# For extension upgrade operations, explicitly set before running
# psql -c "SET search_path TO pg_catalog, pg_temp;" -c "ALTER EXTENSION timescaledb UPDATE;"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
