Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rucio WebUI stores XSS payloads in custom RSE attributes, allowing attackers to execute arbitrary JavaScript in the context of other users.
Vulnerability
Description Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 contain a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute functionality of the WebUI [2]. The underlying issue is that attacker-controlled input provided via the 'Add Attribute' feature is persisted by the backend and later rendered on the RSE view page without proper output encoding [3]. This type of injection vulnerability is well-documented in the OWASP Cross-Site Scripting Prevention Cheat Sheet, which recommends output encoding and framework-specific protections [1].
Exploitation
Path An authenticated attacker can inject a malicious JavaScript payload by sending a POST request to /proxy/rses/WEB1/attr/XSS with a crafted value such as `` [3]. The payload is stored in the custom RSE attribute and triggers every time any user views the RSE in the Admin > RSE Management section [3]. No special privileges beyond having an account that can add attributes are required; any authenticated user who views the affected page becomes a victim of the XSS attack.
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the WebUI origin. This can lead to session token theft if session cookies lack the HttpOnly flag, or are otherwise accessible to JavaScript, API token exfiltration, or unauthorized administrative actions on behalf of the victim [3]. Attackers can perform operations such as creating new UserPass identities with known passwords, adding or deleting RSEs, or exfiltrating scientific data metadata [3].
Mitigation
The vulnerability is fixed in Rucio versions 35.8.3, 38.5.4, and 39.3.1 [2]. Users should upgrade to the latest patched version of their release line. The Rucio project also recommends reviewing session cookie Http flags and API token exposure in WebUI JavaScript variables as additional hardening measures [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucio-webuiPyPI | < 35.8.3 | 35.8.3 |
rucio-webuiPyPI | >= 36.0.0rc1, < 38.5.4 | 38.5.4 |
rucio-webuiPyPI | >= 39.0.0rc1, < 39.3.1 | 39.3.1 |
Affected products
2- rucio/ruciov5Range: < 35.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-fq4f-4738-rqxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25736ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/35.8.3ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/38.5.4ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/39.3.1ghsax_refsource_MISCWEB
- github.com/rucio/rucio/security/advisories/GHSA-fq4f-4738-rqxmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.