PostgreSQL project reports:
An attacker able to create and drop non-temporary objects could
inject SQL code that would be executed by a concurrent pg_dump
session with the privileges of the role running pg_dump
(which is often a superuser). The attack involves replacing a
sequence or similar object with a view or foreign table that will
execute malicious code. To prevent this, introduce a new server
parameter restrict_nonsystem_relation_kind that can disable
expansion of non-builtin views as well as access to foreign
tables, and teach pg_dump to set it when available. Note that the
attack is prevented only if both pg_dump and the server it is
dumping from are new enough to have this fix.