From upstream: CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL CVSS v3.1 Base Score: 8.8 Supported, Vulnerable Versions: 12 - 16. An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
Downgrading this to A1 since the attacker must be "able to create and drop non-temporary objects", which as far as I can tell requires some kind of existing access to the database server.
