Executive Summary

CVE-2026-25734 is a stored Cross-Site Scripting (XSS) vulnerability in the Rucio WebUI, specifically in the RSE metadata fields such as City, Country_Name, and ISP. These fields accept attacker-controlled input that is stored by the backend and later rendered in the WebUI without proper output encoding or sanitization.

This flaw allows an attacker to submit malicious JavaScript code via POST requests to certain endpoints, which then executes whenever an authenticated user views the affected pages. This arbitrary JavaScript execution happens in the context of the WebUI.

The vulnerability can lead to session token theft and unauthorized actions within the WebUI, such as creating or deleting RSEs or creating new UserPass identities with attacker-known passwords.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant impacts including theft of session tokens and API tokens, which are accessible to JavaScript due to missing security flags like HttpOnly.

An attacker exploiting this vulnerability can perform unauthorized actions such as creating or deleting RSEs or creating new user identities with known passwords, potentially compromising the integrity of the system.

Because the malicious script executes in the context of the WebUI, it can exfiltrate sensitive information by sending it to attacker-controlled domains.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of malicious JavaScript payloads in the RSE metadata fields such as City, Country_Name, and ISP within the Rucio WebUI. Specifically, look for stored scripts like <script>alert('XSS')</script> in the RSE Management dashboard under paths such as Admin > RSE Management and Admin > RSE Management > RSE NAME."}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to monitor POST requests to endpoints like /proxy/rses/XSSTEST where attacker-controlled input might be submitted.'}, {'type': 'paragraph', 'content': 'Suggested commands include using curl or similar tools to send test POST requests with a benign XSS payload to the suspected endpoints, for example:'}, {'type': 'list_item', 'content': 'curl -X POST -d "City=<script>alert(\'XSS\')</script>" https://your-rucio-instance/proxy/rses/XSSTEST -b cookie.txt -c cookie.txt'}, {'type': 'list_item', 'content': 'Then, access the RSE Management pages in a browser with developer tools open to check if the script executes.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the source code or logs for unsafe rendering methods like .html() without sanitization in the WebUI code can help identify vulnerable spots.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade Rucio to one of the patched versions: 35.8.3, 38.5.4, or 39.3.1, which fix the stored XSS vulnerability.

Avoid using unsafe rendering methods such as .html() without proper sanitization when displaying user-controlled metadata in the WebUI.

Use safer alternatives like .text(), text nodes, or templating systems that automatically escape output to prevent script injection.

Implement additional defense-in-depth measures such as enforcing strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts.

Set the HttpOnly flag on session cookies to prevent JavaScript access to session tokens.

Avoid exposing API tokens in JavaScript-accessible variables to reduce the risk of token exfiltration.

Useful 0 Not Useful 0