Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rucio WebUI has a stored XSS vulnerability in Identity Name input, allowing arbitrary JavaScript execution via unencoded output.
Vulnerability
Overview
CVE-2026-25735 is a stored Cross-Site Scripting (XSS) vulnerability in the Rucio WebUI of Rucio, a scientific data management framework. The vulnerability exists in the Identity Name field, where attacker-controlled input is persisted by the backend and later rendered in the account identity name and later rendered in the WebUI without proper output encoding [2]. Consequently, arbitrary JavaScript can execute in the context of the WebUI for any user who views the affected page [3].
Exploitation
An authenticated user can inject a malicious payload into the Identity Name through the account management interface (Admin > Account Management > ACCOUNT NAME > Add Account Identity). The payload is stored and triggered when another user visits the account view page (e.g., /ui/account?account=pentest) [3]. No special network position is required beyond standard WebUI access.
Impact
Successful exploitation enables arbitrary JavaScript execution in the WebUI origin for users viewing the affected viewers. This can lead to session cookie theft (if cookies lack HttpOnly flag), API token exfiltration, and unauthorized actions such as creating new identities with attacker-known passwords, modifying Rucio Storage Elements (RSEs), or exfiltrating scientific data [3]. The attack may affect all users or only administrative users depending on the feature viewed.
Mitigation
The vulnerability is fixed in Rucio versions 35.8.3, 38.5.4, and 39.3.1 [2]. The fix applies proper output encoding to the Identity Name field, preventing stored XSS. Users should upgrade to a patched version. No workaround is listed in CISA KEV or similar databases
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucio-webuiPyPI | < 35.8.3 | 35.8.3 |
rucio-webuiPyPI | >= 36.0.0rc1, < 38.5.4 | 38.5.4 |
rucio-webuiPyPI | >= 39.0.0rc1, < 39.3.1 | 39.3.1 |
Affected products
2- rucio/ruciov5Range: < 35.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-8wpv-6x3f-3rm5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25735ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/35.8.3ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/38.5.4ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/39.3.1ghsax_refsource_MISCWEB
- github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.