CVE-2026-29090
Analyzed Analyzed - Analysis Complete
SQL Injection in Rucio Data Management Software

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29090
EUVD
EUVD-2026-27875
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
cern rucio From 1.30.0 (inc) to 35.8.5 (exc)
cern rucio From 36.0.0 (inc) to 38.5.5 (exc)
cern rucio From 39.0.0 (inc) to 39.4.2 (exc)
cern rucio From 40.0.0 (inc) to 40.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection issue in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, specifically in the FilterEngine.create_postgres_query() function. It allows any authenticated Rucio user to execute arbitrary SQL commands against the PostgreSQL metadata database via the DID search endpoint.

The problem arises when the postgres_meta metadata plugin is configured. Attacker-controlled filter keys and values are directly inserted into raw SQL strings using Python's .format() method, which are then treated as trusted SQL syntax by psycopg3's sql.SQL() function. This improper handling enables SQL injection.

Impact Analysis

Exploitation of this vulnerability can have severe impacts depending on the database privileges of the service account. An attacker could expose sensitive tables, modify or delete metadata, access server-side files, or even execute code on the server using PostgreSQL features such as COPY ... FROM PROGRAM.

Compliance Impact

The SQL injection vulnerability in Rucio allows attackers to execute arbitrary SQL commands, potentially exposing sensitive data such as password hashes, authentication tokens, user accounts, storage credentials, and data management policies.

Such exposure and unauthorized access to sensitive personal and organizational data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality, integrity, and availability of sensitive information.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to data breaches, unauthorized data access, and potential misuse of protected information.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the DID search API endpoint, specifically GET /dids/<scope>/dids/search, for suspicious or malformed filter parameters that could indicate SQL injection attempts.

Since the vulnerability involves attacker-controlled filter keys and values being interpolated into SQL queries, you can look for unusual or unexpected SQL syntax in logs or by capturing traffic.

Suggested commands include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests to the vulnerable endpoint, for example:

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep '/dids/'

Additionally, you can check application logs for suspicious queries or errors related to the postgres_meta plugin.

You may also attempt to test the endpoint with crafted filter parameters to see if arbitrary SQL execution is possible, but this should be done carefully in a controlled environment.

Mitigation Strategies

The immediate mitigation step is to upgrade Rucio to one of the fixed versions: 35.8.5, 38.5.5, 39.4.2, or 40.1.1.

If upgrading immediately is not possible, consider disabling the postgres_meta metadata plugin to prevent exploitation.

Restrict access to the DID search API endpoint to trusted users only, as exploitation requires authentication.

Review and limit the database privileges assigned to the Rucio service account to minimize potential damage if exploited.

Monitor logs and network traffic for suspicious activity targeting the vulnerable endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart