CVE-2026-29090
Description
Summary
A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in FilterEngine.create_postgres_query(). This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (GET /dids/<scope>/dids/search). When the postgres_meta metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python .format(), then passed to psycopg3's sql.SQL() which treats the string as trusted SQL syntax.
Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucioPyPI | >= 1.30.0, < 35.8.5 | 35.8.5 |
rucioPyPI | >= 36.0.0, < 38.5.5 | 38.5.5 |
rucioPyPI | >= 39.0.0, < 39.4.2 | 39.4.2 |
rucioPyPI | >= 40.0.0, < 40.1.1 | 40.1.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6j7p-qjhg-9947ghsaADVISORY
- github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-29090ghsaADVISORY
News mentions
0No linked articles in our index yet.