Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.0
CVE-2026-29090: Rucio PostgreSQL Database Exposed to Unauthorized Access
GHSA-6j7p-qjhg-9947
CVE-2026-29090
GHSA-6j7p-qjhg-9947
Summary
Rucio users with certain configurations may be able to access and modify sensitive data in the PostgreSQL database, including passwords and authentication sessions. This is due to a security weakness in the way Rucio interacts with the database, which allows attackers to execute arbitrary SQL commands. To protect your Rucio deployment, ensure that the 'postgres_meta' metadata plugin is not configured, or take steps to secure the database and limit user access.
What to do
- Update rucio to version 35.8.5.
- Update rucio to version 38.5.5.
- Update rucio to version 39.4.2.
- Update rucio to version 40.1.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | rucio |
>= 1.30.0, < 35.8.5 >= 36.0.0, < 38.5.5 >= 39.0.0, < 39.4.2 >= 40.0.0, < 40.1.1 Fix: upgrade to 35.8.5
|
| – | cern | rucio |
>= 1.30.0, < 35.8.5 >= 36.0.0, < 38.5.5 >= 39.0.0, < 39.4.2 >= 40.0.0, < 40.1.1 cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:* |
Original title
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
Original description
### Summary
A SQL injection vulnerability in `FilterEngine.create_postgres_query` allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the external metadata plugin `postgres_meta` is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL statements via Python `str.format`. This enables full database compromise including data exfiltration, data modification, and potential remote code execution via `COPY ... FROM PROGRAM`.
### Details
*Will follow in two weeks (2025-05-19).*
### Impact
**Vulnerability type:** SQL Injection (CWE-89)
**Who is impacted:**
- Rucio deployments that have explicitly configured the `postgres_meta` metadata plugin.
**What an attacker can do:**
- **Data modification:** PostgreSQL stacked queries enable arbitrary `INSERT`/`UPDATE`/`DELETE` operations.
- **Remote code execution:** Via PostgreSQL's `COPY ... FROM PROGRAM` if the database user has superuser or `pg_execute_server_program` privileges.
- **File system access:** Via `COPY ... TO/FROM '/path'` if filesystem permissions allow.
**Further elevation when the same postgres database and access is used for metadata and for Rucio itself**
- **Full database read access:** Extract any table including `identities` (password hashes and salts), `tokens` (active authentication sessions), `accounts` (user enumeration), `rse_settings` (storage endpoint credentials), and `rules` (data management policies) could be extracted.
- **Password hash extraction:** Combined with Rucio's use of single-iteration SHA-256 for password hashing (no KDF), extracted hashes can be cracked at GPU speed.
- **Authentication token theft:** Active bearer tokens can be extracted and used for immediate session hijacking.
**Required attacker privileges:** Any authenticated Rucio user. Authentication tokens can be obtained via any supported method (userpass, x509, OIDC, SAML, SSH, GSS). No special roles or administrative permissions are required. The `GET /dids/<scope>/dids/search` endpoint is available to all authenticated users.
A SQL injection vulnerability in `FilterEngine.create_postgres_query` allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the external metadata plugin `postgres_meta` is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL statements via Python `str.format`. This enables full database compromise including data exfiltration, data modification, and potential remote code execution via `COPY ... FROM PROGRAM`.
### Details
*Will follow in two weeks (2025-05-19).*
### Impact
**Vulnerability type:** SQL Injection (CWE-89)
**Who is impacted:**
- Rucio deployments that have explicitly configured the `postgres_meta` metadata plugin.
**What an attacker can do:**
- **Data modification:** PostgreSQL stacked queries enable arbitrary `INSERT`/`UPDATE`/`DELETE` operations.
- **Remote code execution:** Via PostgreSQL's `COPY ... FROM PROGRAM` if the database user has superuser or `pg_execute_server_program` privileges.
- **File system access:** Via `COPY ... TO/FROM '/path'` if filesystem permissions allow.
**Further elevation when the same postgres database and access is used for metadata and for Rucio itself**
- **Full database read access:** Extract any table including `identities` (password hashes and salts), `tokens` (active authentication sessions), `accounts` (user enumeration), `rse_settings` (storage endpoint credentials), and `rules` (data management policies) could be extracted.
- **Password hash extraction:** Combined with Rucio's use of single-iteration SHA-256 for password hashing (no KDF), extracted hashes can be cracked at GPU speed.
- **Authentication token theft:** Active bearer tokens can be extracted and used for immediate session hijacking.
**Required attacker privileges:** Any authenticated Rucio user. Authentication tokens can be obtained via any supported method (userpass, x509, OIDC, SAML, SSH, GSS). No special roles or administrative permissions are required. The `GET /dids/<scope>/dids/search` endpoint is available to all authenticated users.
ghsa CVSS3.1
9.9
Vulnerability type
CWE-89
SQL Injection
Published: 6 May 2026 · Updated: 28 May 2026 · First seen: 6 May 2026