CVE-2026-25735
Stored XSS in Rucio WebUI Identity Name Enables JS Execution
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cern | rucio | to 35.8.3 (exc) |
| cern | rucio | From 36.0.0 (inc) to 38.5.4 (exc) |
| cern | rucio | From 39.0.0 (inc) to 39.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1004 | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25735 is a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name field of the Rucio WebUI. An attacker can submit malicious JavaScript code as the identity name, which is then stored by the backend and later rendered in the WebUI without proper encoding. This causes the malicious script to execute in the context of the WebUI when viewed by users.
The vulnerability occurs when an attacker sends a malicious script payload via a POST request to the endpoint /proxy/accounts/{account}/identities. The stored script executes when viewing the account identity page, potentially affecting any authenticated user, including administrators.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution in the WebUI, which may allow attackers to steal session tokens or perform unauthorized actions.
- Session token theft due to JavaScript access to cookies lacking the HttpOnly flag.
- Unauthorized actions such as creating new UserPass identities with known passwords.
- Creating or deleting RSEs (Rucio Storage Elements).
- Exfiltration of sensitive data by encoding stolen tokens in requests to attacker-controlled domains.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to submit a malicious script payload in the Identity Name field via a POST request to the endpoint `/proxy/accounts/{account}/identities` and then checking if the payload is executed when viewing the account identity page in the WebUI.'}, {'type': 'list_item', 'content': "Use a command like: curl -X POST -d 'identity_name=<script>alert(document.cookie)</script>' https://<rucio-webui>/proxy/accounts/{account}/identities to submit a test payload."}, {'type': 'list_item', 'content': 'After submitting, log in to the WebUI and navigate to Admin > Account Management > ACCOUNT NAME to see if the script executes (e.g., an alert popup).'}, {'type': 'paragraph', 'content': 'Detection involves verifying if attacker-controlled input is stored and rendered without proper output encoding, leading to arbitrary JavaScript execution.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Rucio WebUI to versions 35.8.3, 38.5.4, or 39.3.1 where the vulnerability is fixed.
- Avoid using unsafe rendering methods like `.html()` for user input unless the content is explicitly sanitized.
- Use safer alternatives such as `.text()`, creating text nodes, or templating systems with automatic escaping to render user input.
- Implement defense-in-depth measures including enforcing a strict Content Security Policy (CSP).
- Set the HttpOnly flag on session cookies to prevent JavaScript access.
- Avoid exposing API tokens in JavaScript-accessible variables within the WebUI.