CVE-2026-25733
Stored XSS in Rucio WebUI Custom Rules Enables Session Hijacking
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cern | rucio | to 35.8.3 (exc) |
| cern | rucio | From 36.0.0 (inc) to 38.5.4 (exc) |
| cern | rucio | From 39.0.0 (inc) to 39.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1004 | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25733 is a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the Rucio WebUI. It occurs because attacker-controlled input submitted via the comment field during rule creation is stored by the backend and later rendered in the WebUI without proper output encoding.
This allows an attacker to execute arbitrary JavaScript code in the context of the WebUI for any user who views the affected pages. The vulnerability is triggered when the malicious script is rendered, for example, when viewing or approving rules in the WebUI.
The unsafe rendering methods like .html() without sanitization and the lack of HttpOnly flags on session cookies make it possible for attackers to steal session tokens or perform unauthorized actions.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution in the WebUI, which may result in session token theft or unauthorized actions by attackers.
- Attackers can steal session cookies because they lack the HttpOnly flag, allowing JavaScript access.
- API tokens exposed in JavaScript variables can be compromised.
- Attackers can exfiltrate sensitive data by sending stolen tokens to attacker-controlled domains.
- Unauthorized actions such as creating new UserPass identities, modifying or deleting RSEs, or exfiltrating data can be performed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious script payloads in the comment fields of Custom Rules created via the WebUI or API. Specifically, look for suspicious inputs such as <script> tags in rule creation requests (POST /proxy/rules/).'}, {'type': 'paragraph', 'content': 'You can monitor HTTP requests to the rule creation endpoint and inspect stored rules in the WebUI under Monitoring > Subscriptions and Rules or Data Transfer (R2D2) > Approve Rules for any unexpected JavaScript code execution.'}, {'type': 'paragraph', 'content': 'Commands to assist detection might include using network traffic inspection tools like curl or wget to fetch rule data, or grep to search for script tags in stored rule comments if you have backend access.'}, {'type': 'list_item', 'content': 'Example curl command to fetch rules: curl -X GET https://<rucio-webui>/proxy/rules/'}, {'type': 'list_item', 'content': "Example grep command to search for script tags in exported rule data: grep -i '<script>' rules_export.json"}, {'type': 'paragraph', 'content': 'Additionally, review WebUI pages for unexpected JavaScript alerts or behaviors that could indicate stored XSS exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Rucio to one of the patched versions: 35.8.3, 38.5.4, or 39.3.1, which fix the stored XSS vulnerability in the Custom Rules function.
Until the upgrade is applied, avoid using the Custom Rules feature in the WebUI or API to prevent attackers from injecting malicious scripts.
Additional mitigations include enforcing strict Content Security Policies (CSP) on the WebUI to restrict script execution, setting the HttpOnly flag on session cookies to prevent JavaScript access, and avoiding exposure of API tokens in JavaScript variables.
Review and sanitize any existing stored rules to remove malicious script payloads.