Wrong DSN construction
The DSN construction does not escape dbname. As the dbname comes from the request, it could contain anything (space, other attributes).
I do not thing it can be used as vector for an attack because psycopg2 validate the dsn by parsing it. So I did not report it as a security issue. But I think it should be fixed in all supported version ASAP.